Privacy Policy

Privacy Policy

How we collect, use, and protect your personal information across the Difinity platform.

DIFINITY.AI — PRIVACY POLICY

Version: 1.0
Effective Date: Nov 19, 2025
Operator: Difinity Pty Ltd (Australia)
Trading As: Difinity.ai
Primary Jurisdiction: Australia (with multi-jurisdictional compliance)

1. Introduction

Difinity Pty Ltd (“Difinity”, “we”, “us”) provides enterprise AI governance software, including:

  • Difinity Hub — a management console for AI governance, policy controls, PII settings, analytics, audit trails.
  • Difinity Flow — a unified API that enforces policies, performs PII redaction, routes AI requests to approved models, and provides auditability.

We process personal data in compliance with:

  • EU GDPR
  • UK GDPR
  • Australian Privacy Act 1988
  • US CCPA/CPRA
  • Canada PIPEDA/CASL
  • Malaysia PDPA
  • Applicable international privacy laws

Difinity acts as:

  • Controller for Hub accounts, billing, platform usage analytics
  • Processor for AI request data received via Difinity Flow, processed strictly under customer instruction

2. Scope

This Privacy Policy applies to:

  • Visitors to the Difinity.ai website
  • Users of Difinity Hub
  • Customers integrating Difinity Flow
  • Cloud, private cloud, and on-premise deployments
  • Personal data processed in both Controller and Processor capacities

Where this Policy conflicts with a signed Data Processing Agreement (DPA), the DPA prevails.

3. Definitions

Personal Data — information relating to an identifiable natural person.
Processor Role — Difinity processes runtime API data solely under customer instruction.
Controller Role — Difinity controls account, billing, security, and platform analytics data.

4. Personal Data We Collect

4.1 Data Provided Directly (Controller Role)

Account Information

  • Name
  • Email
  • Organisation
  • Role & permissions
  • Password hash
  • MFA metadata

Billing Information

  • Billing address
  • Organisation name
  • Payment method token (PCI-compliant)
  • Invoice and transaction history

4.2 Data Processed Through Difinity Flow (Processor Role)

Data customers send to our API may include personal data contained in:

  • Prompts and conversation history
  • Messages & documents
  • Context windows
  • Model outputs
  • Headers & request metadata

Difinity Flow applies customer-configured controls:

PII Detection & Redaction

  • Automatic PII entity identification
  • Redaction before provider inference
  • Encrypted session-scoped cache
  • Optional restoration after inference
  • History-aware PII tracking

Content Safety & Compliance Checks

  • Manipulative behaviour detection
  • Social scoring prevention
  • Blacklisted keyword filtering
  • Disallowed topic blocking
  • Bias and harm checks
  • Custom organisation-defined rules

4.3 Automatically Collected Data

Platform Activity

  • Login events
  • Token creation/expiry
  • Use case changes
  • Role updates

Flow Runtime Telemetry

  • Model/provider usage
  • Token counts
  • Latency
  • Audit logs
  • Cost analytics

Device & Network

  • IP address
  • Browser metadata
  • User agent
  • Operating system
  • Timestamp

Cookies

  • Essential cookies
  • Analytics cookies (where consented)
    (See Cookie Policy.)

5. Lawful Basis for Processing

5.1 EU/UK GDPR Basis

Processing Purpose Lawful Basis
Account creation, authentication Art. 6(1)(b) – Contract
Hub service delivery Art. 6(1)(b) – Contract
Platform security/analytics Art. 6(1)(f) – Legitimate Interests
Flow API processing Art. 28 – Processor
Billing & compliance Art. 6(1)(c) – Legal Obligation
Marketing Art. 6(1)(a) – Consent

5.2 CCPA/CPRA (California)

  • We do not sell personal information.
  • Users retain rights to access, delete, correct, and opt-out of sharing.

6. How We Use Personal Data

  • Provide Difinity Hub and Flow services
  • Enforce PII, moderation, and compliance rules
  • Perform model routing and cost optimisation
  • Generate audit logs and observability metrics
  • Manage billing and invoices
  • Detect misuse or violations
  • Maintain platform availability and security
  • Provide support and respond to enquiries
  • Comply with legal obligations

We do not train ML models on customer data.

7. Automated Processing & AI

Difinity performs automated:

  • PII detection
  • Redaction
  • Moderation
  • Compliance checks
  • Model/provider routing

These processes do not produce legal or similarly significant effects on individuals.

Customers fully control:

  • Routing priorities
  • Allowed models/providers
  • PII rules
  • Compliance configurations

8. Data Sharing

8.1 Subprocessors

We use subprocessors for:

  • Cloud hosting (AWS/GCP/Azure)
  • Logging & monitoring
  • Email delivery
  • Secure payments
  • Infrastructure security

List: https://difinity.ai/subprocessors

8.2 AI Providers (Customer-Configured)

Depending on customer settings, redacted content may be routed to:

  • OpenAI
  • Anthropic
  • Google
  • DeepSeek
  • xAI (Grok)

8.3 Legal Disclosures

We may disclose data where required by law in:

  • Australia
  • EU/EEA
  • UK
  • United States
  • Canada
  • Malaysia

9. International Transfers

Difinity supports:

  • Region-specific hosting
  • Private cloud
  • On-premise / air-gapped deployments

Where transfers occur:

EU/EEA

  • Standard Contractual Clauses (SCCs)
  • Supplemental safeguards

UK

  • UK IDTA or SCC Addendum

US/Canada/Malaysia/Australia

  • Contractual and organisational safeguards

10. Data Retention

Hub Data

  • Retained while the account is active + 7 years (billing/legal)

Flow Runtime Data (Processor Role)

Defaults (customer-configurable):

  • Request content: ephemeral, deleted after processing
  • Audit logs: 30–180 days
  • PII cache: minutes–hours
  • Usage logs: aggregated after expiry

Backups

  • Encrypted backups retained 30–90 days

11. Your Rights

EU/UK GDPR Rights

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Portability
  • Objection
  • Review of automated processing

CCPA/CPRA Rights

  • Right to know
  • Right to delete
  • Right to correct
  • Right to opt out

Canada (PIPEDA)

  • Access
  • Correction
  • Challenge compliance

Australia (APPs)

  • Access
  • Correction
  • Complaint rights

Malaysia (PDPA)

  • Access
  • Correction
  • Withdrawal of consent

To exercise rights:
📧 privacy@difinity.ai

12. Security

  • TLS 1.2+ encryption
  • AES-256 encryption at rest
  • Zero trust principles
  • RBAC, least privilege
  • API token rotation
  • Audit logging
  • Annual penetration tests
  • On-premise isolation options

13. Children’s Data

Our services are not intended for individuals under 18.
We do not knowingly collect data from children.

14. Jurisdiction-Specific Disclosures

Australia (Primary Default)

We comply with the Australian Privacy Principles (APPs).

EU Representative (If Required)

Listed at: https://difinity.ai/legal/eu-rep

UK Representative (If Required)

Listed at: https://difinity.ai/legal/uk-rep

California

We do not sell/share personal information.

Canada (CASL)

Marketing emails require consent.

Malaysia PDPA

Sensitive data is processed only with explicit consent or customer direction.

15. Policy Updates

We may update this Policy periodically.
Material changes will be communicated via Difinity Hub or email.

16. Contact Us

Difinity Pty Ltd
📧 privacy@difinity.ai
📧 legal@difinity.ai
📍 Sydney, Australia