Privacy Policy

Last Updated: 3 March 2026

1. About Us (APP 1 — Open and Transparent Management)

This Privacy Policy describes how LostMind AI Pty Ltd (ABN [TBD]), a company registered in New South Wales, Australia ("ChatCrawler", "we", "us", or "our"), manages the personal information it collects, holds, uses, and discloses in connection with ChatCrawler Intelligence Edition ("the Service").

We are committed to complying with the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs) contained in Schedule 1 of that Act. This policy is intended to be open and transparent about our information-handling practices so that you can make informed decisions about providing your personal information to us.

Our address: Sydney, New South Wales, Australia

Privacy contact: privacy@chatcrawler.com

2. Scope of This Policy

This Privacy Policy applies to all personal information collected by ChatCrawler through:

• The ChatCrawler web application and API;
• Account registration and subscription management;
• Customer support interactions; and
• Cookies and server logs generated when you use the Service.

This policy should be read together with our Terms of Service, which governs your use of the Service.

3. Information We Collect (APP 3 — Collection of Solicited Personal Information)

We only collect personal information that is reasonably necessary for, or directly related to, the provision of the Service. The categories of personal information we collect include:

3.1 Account Information

• Email address — required for account creation, authentication, and service communications
• Name — optional; used for personalisation of the Service

3.2 Payment Information

• Billing details — processed and stored by our payment provider, Stripe. We do not store credit card numbers, CVVs, or full card details on our servers. We receive from Stripe a tokenised reference, the last four digits of your card, and the card expiry date for display in your account settings.

3.3 Technical and Usage Data

• IP address — collected automatically for security monitoring, rate limiting, and abuse prevention
• Browser type and operating system — collected via server logs
• Usage data — including URLs you submit for extraction, API request counts, extraction stage used, response times, and error logs

3.4 User-Generated Content

• Extracted web content — the text, data, and structured information extracted from websites you submit to the Service
• Indexed content — vector embeddings generated from your extracted content, stored in your per-user vector database namespace
• Chat histories — your RAG (Retrieval-Augmented Generation) chat conversations with your indexed content
• AI-processed summaries — summaries and responses generated by AI from your extracted content

3.5 Unsolicited Personal Information (APP 4)

If we receive personal information that we did not solicit, and we determine that we could not have collected it under APP 3, we will destroy or de-identify the information as soon as practicable, provided it is lawful and reasonable to do so.

4. How We Collect Personal Information

We collect personal information:

• Directly from you — when you register for an account, subscribe to a paid tier, contact customer support, or submit URLs for extraction;
• From third-party service providers — specifically Stripe (payment status and subscription events via webhooks) and Supabase (authentication events); and
• Automatically — through server logs, cookies, and API request metadata when you interact with the Service.

Where it is reasonable and practicable to do so, we collect personal information directly from you rather than from third parties. We do not collect personal information by covert or deceptive means.

5. Notification of Collection (APP 5)

At or before the time we collect your personal information, we will take reasonable steps to notify you of the following matters (or ensure you are otherwise aware of them):

• Our identity: LostMind AI Pty Ltd (ABN [TBD])
• Purpose of collection: To provide, maintain, and improve the ChatCrawler Service; to process payments and manage subscriptions; to provide customer support; and to maintain the security and integrity of the Service
• Consequences of not providing information: If you do not provide the personal information we request (such as your email address), we will be unable to create an account for you and you will not be able to use the Service. If you do not provide payment information, you will be limited to the Freemium tier.
• Third parties to whom we disclose: See Section 6 below
• This Privacy Policy: Which contains information about how you may access and seek correction of your personal information, how to lodge a complaint, and whether personal information is likely to be disclosed to overseas recipients

6. Use and Disclosure (APP 6)

6.1 Primary Purposes

We use your personal information for the primary purpose for which it was collected, namely:

• Providing the ChatCrawler Service, including web extraction, content indexing, and RAG chat functionality;
• Processing payments and managing your subscription via Stripe;
• Authenticating your identity and securing your account;
• Providing customer support and responding to your enquiries; and
• Communicating important service-related information to you.

6.2 Secondary Purposes

We may use or disclose your personal information for a secondary purpose if:

• The secondary purpose is related to the primary purpose (or, in the case of sensitive information, directly related), and you would reasonably expect us to use or disclose the information for that purpose;
• You have consented to the use or disclosure; or
• The use or disclosure is required or authorised by Australian law.

Our secondary purposes include:

• Security monitoring: Detecting and preventing fraud, abuse, and unauthorised access
• Service improvement: Analysing anonymised and aggregated usage patterns to improve the Service (this does not involve using individual scraped content or chat data)
• Legal compliance: Responding to lawful requests from courts, law enforcement, or regulatory bodies

6.3 What We Do NOT Do

6.4 Third-Party Service Providers

We disclose personal information to the following third-party service providers solely for the purpose of providing the Service:

7. Direct Marketing (APP 7)

We may send you service-related communications, including subscription confirmations, usage alerts, security notices, and product updates. These are transactional in nature and are necessary for the operation of the Service.

If we send you marketing communications (such as newsletters or promotional offers), we will:

• Only do so with your consent or where you would reasonably expect it;
• Include a clear and functional unsubscribe mechanism in every marketing communication;
• Honour opt-out requests promptly and, in any event, within 5 business days; and
• Comply with the Spam Act 2003 (Cth) and any applicable regulations.

You may opt out of marketing communications at any time by using the unsubscribe link in any email or by contacting us at privacy@chatcrawler.com.

8. Cross-Border Disclosure (APP 8)

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information, or that an exception under APP 8.2 applies. You should be aware that, by consenting to the cross-border disclosures described below, we may not be accountable under the Privacy Act if the overseas recipient handles the information in breach of the APPs, and you may not be able to seek redress under the Privacy Act.

The following third-party service providers process or store data outside Australia:

All data transmitted to overseas recipients is encrypted in transit using TLS 1.2 or higher. We select service providers that maintain industry-standard security certifications (SOC 2, ISO 27001, or equivalent) and that contractually agree not to use your data for purposes other than providing the contracted service.

9. Government-Related Identifiers (APP 9)

ChatCrawler does not collect, use, or disclose government-related identifiers (such as Tax File Numbers, Medicare numbers, or driver's licence numbers). We do not require you to provide any government-related identifier to use the Service.

10. Quality of Personal Information (APP 10)

We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, up-to-date, complete, and relevant. You can help us maintain the quality of your personal information by updating your account details promptly when your information changes. See Section 12 for how to access and correct your information.

11. Security of Personal Information (APP 11)

We take reasonable steps to protect the personal information we hold from misuse, interference, and loss, and from unauthorised access, modification, or disclosure. Our security measures include:

• Encryption in transit: All data transmitted between your browser and our servers, and between our servers and third-party providers, is encrypted using TLS 1.2 or higher (HTTPS).
• Encryption at rest: Data stored in our databases (Supabase and Qdrant) is encrypted at rest using AES-256 or equivalent encryption provided by the hosting infrastructure.
• Per-user data isolation: Each user's extracted content and vector embeddings are stored in isolated namespaces within Qdrant, enforced by payload-level filtering. Your data is never co-mingled with another user's data.
• Row Level Security (RLS): Our Supabase database enforces row-level security policies, ensuring that database queries only return data belonging to the authenticated user.
• Authentication and access controls: Access to the Service requires authentication via secure session tokens. API access requires valid API keys. Administrative access to infrastructure is restricted and requires multi-factor authentication.
• Regular security assessments: We conduct regular reviews of our security posture, including dependency vulnerability scanning and infrastructure configuration audits.

When personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs, we will take reasonable steps to destroy or de-identify the information.

12. Access and Correction (APPs 12 & 13)

12.1 Right of Access (APP 12)

You have the right to request access to the personal information we hold about you. You can access most of your information directly through the Service:

• Account information: Account Settings → Edit Profile
• Extracted content and chat history: Dashboard → My Data
• Usage records: Dashboard → Usage
• Full data export: Account Settings → Data Export (provides a machine-readable JSON export of all your data)

For information not accessible through the Service, you may submit a written access request to privacy@chatcrawler.com. We will respond to your request within 30 days. We will not charge a fee for making or responding to an access request unless the request is manifestly excessive.

We may refuse access in the limited circumstances permitted by APP 12.3, including where providing access would pose a serious threat to the life or health of any individual, or where the request is frivolous or vexatious. If we refuse access, we will provide you with written reasons for the refusal.

12.2 Right of Correction (APP 13)

You have the right to request correction of personal information we hold about you that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. You can correct most information directly through your account settings.

For corrections you cannot make yourself, contact us at privacy@chatcrawler.com. We will respond to correction requests within 30 days. If we refuse to correct the information, we will provide written reasons and, at your request, attach a statement to the information noting that you consider it inaccurate.

13. Data Retention and Deletion

13.1 Retention Periods

Extracted content, indexed vector data, and chat histories are retained for the following periods, depending on your subscription tier:

After the applicable retention period, your extracted content, vector embeddings, and chat histories are automatically and permanently deleted from our systems.

Account information (email, name, subscription status) is retained for the duration of your account plus 30 days after account deletion, to allow for account recovery in case of accidental deletion.

13.2 Voluntary Deletion

You may delete your data at any time through the Service:

• Extraction history: Account Settings → Data Management → Delete Extractions
• Chat history: Account Settings → Data Management → Delete Chat History
• Full account deletion: Account Settings → Delete Account. This permanently deletes your account and all associated data, including extracted content, vector embeddings, chat histories, and account information.

Deletion requests initiated through the Service are processed within 30 days. This is equivalent to the right of erasure under the EU General Data Protection Regulation (GDPR), Article 17.

14. Artificial Intelligence Disclosure

ChatCrawler uses artificial intelligence (AI) and machine learning technologies. We believe in transparency about how AI is used within the Service.

14.1 How We Use AI

We use AI (specifically, Google's Gemini large language model) for the following purposes:

• Content extraction: Stage 2 (Virtual Renderer) and Stage 4 (Vision Agent) of our extraction pipeline use AI to reconstruct and interpret web page content
• Text summarisation: Generating summaries of extracted web content
• RAG chat responses: Generating conversational answers grounded in your indexed content
• PII detection: Scanning extracted content for potential personal information and alerting you before indexing

14.2 How We Do NOT Use AI

• We do not use AI to make automated decisions that significantly affect your rights, interests, or access to services. Subscription management, billing, and account actions are handled by deterministic systems, not AI.
• We do not use your data to train, fine-tune, or improve any AI or machine learning model. Data sent to the Google Gemini API is processed under Google's API terms of service, which (as of March 2026) state that API inputs and outputs are not used to train Google's models.

14.3 AI Accuracy and Limitations

15. Scraped Content and Personal Information

When you use ChatCrawler to extract content from websites, the extracted content may contain personal information about third parties (for example, names, email addresses, or phone numbers published on the target website).

• PII detection: The Service includes automated PII detection that scans extracted content and warns you if it appears to contain personal information. This detection is best-effort and may not catch all instances.
• Your responsibility: You are responsible for ensuring that your collection and use of any personal information obtained through the Service complies with the Privacy Act 1988 and the APPs. See Section 7 (User Warranties) of our Terms of Service for your obligations.
• Per-user isolation: Any personal information contained in your extracted content is stored in your isolated data namespace and is not accessible to other users or used by us for any purpose other than providing the Service to you.

16. Cookies and Tracking Technologies

16.1 Cookies We Use

We use only essential cookies that are strictly necessary for the operation of the Service:

16.2 What We Do Not Use

• We do not use third-party advertising cookies.
• We do not use tracking pixels or web beacons.
• We do not participate in cross-site tracking or retargeting networks.

16.3 Analytics

We may use privacy-focused analytics tools to understand aggregated usage patterns (such as page views and feature adoption). If we implement analytics, we will update this section to identify the provider and the data collected. Any analytics tool we adopt will be configured to anonymise IP addresses and will not use third-party cookies.

17. Notifiable Data Breaches (NDB Scheme)

We comply with the Notifiable Data Breaches (NDB) scheme established under Part IIIC of the Privacy Act 1988 (Cth).

In the event of an eligible data breach — that is, a breach that is likely to result in serious harm to any individual whose personal information is involved — we will:

1. Assess the breach: Conduct a prompt assessment to determine whether the breach is an eligible data breach within the meaning of the Act;
2. Notify the OAIC: If the breach is assessed as eligible, notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable;
3. Notify affected individuals: Notify each individual whose personal information is involved in the breach, or who is at risk of serious harm as a result of the breach, including a description of the breach, the type of information involved, and recommended steps to mitigate potential harm; and
4. Take remedial action: Take all reasonable steps to contain the breach, mitigate potential harm, and prevent future breaches.

18. Children's Privacy

The Service is not intended for, and is not directed at, individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18 without verified parental consent, we will take reasonable steps to delete that information as soon as practicable.

If you believe that we have inadvertently collected personal information from a child, please contact us immediately at privacy@chatcrawler.com.

19. Complaints

19.1 Internal Complaints Process

If you believe that we have breached the APPs or otherwise handled your personal information inappropriately, you may lodge a complaint with us. Complaints should be directed to:

• Email: privacy@chatcrawler.com
• Subject line: "Privacy Complaint"
• Attention: Privacy Officer, LostMind AI Pty Ltd

We will acknowledge receipt of your complaint within 5 business days and will investigate and respond to your complaint within 30 days. If we need additional time to investigate, we will notify you of the expected timeframe.

19.2 External Complaints — Office of the Australian Information Commissioner (OAIC)

If you are not satisfied with our response to your complaint, or if you wish to make a complaint directly, you may contact the OAIC:

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services we offer, legal requirements, or other factors.

For material changes, we will provide you with at least 30 days' notice via email to the address associated with your account and/or by displaying a prominent notice on the Service. We encourage you to review this policy periodically.

The "Last Updated" date at the top of this page indicates when the most recent revision was published.

21. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

• Business Name: LostMind AI Pty Ltd
• ABN: [TBD]
• Location: Sydney, New South Wales, Australia
• Privacy Enquiries: privacy@chatcrawler.com
• General Enquiries: hello@chatcrawler.com

Summary of Your Rights

This Privacy Policy is effective as of 3 March 2026 and applies to all users of ChatCrawler Intelligence Edition.

© 2026 LostMind AI Pty Ltd. All rights reserved.