Privacy Policy

Difinity.ai Pty Ltd

Effective Date: 1 March 2026 | Last Updated: 1 March 2026

This Privacy Policy describes how Difinity.ai Pty Ltd (ABN 82 686 692 759) and its affiliates (collectively, "Difinity," "we," "us," or "our") collect, use, disclose, and otherwise process personal data in connection with our website at https://difinity.ai (the "Site"), our enterprise AI governance platform (the "Platform"), and all related services, tools, and communications (collectively, the "Services").

Difinity is an Enterprise AI Governance Platform that delivers runtime compliance enforcement for regulated industries. We intercept, scan, enforce, and log every AI interaction in real time — one governance layer between your applications and every LLM provider.

This Privacy Policy applies globally and addresses the requirements of the European Union General Data Protection Regulation (EU GDPR), the United Kingdom General Data Protection Regulation and Data Protection Act 2018 (UK GDPR), the Australian Privacy Act 1988 (Cth), the United States California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), applicable US state privacy laws, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and applicable privacy legislation in the Middle East, including the UAE Federal Data Protection Law, the DIFC Data Protection Law, the ADGM Data Protection Regulations, and the Kingdom of Saudi Arabia Personal Data Protection Law (KSA PDPL).

1. Data Controller and Contact Information

The data controller responsible for processing your personal data is:

Difinity.ai Pty Ltd ABN: 82 686 692 759 Registered Address: Sydney, NSW, Australia Privacy Enquiries: privacy@difinity.ai Legal Enquiries: legal@difinity.ai

1.1 EU/UK Representative

As Difinity is established in Australia and processes personal data of individuals located in the European Union and the United Kingdom, we are in the process of appointing a representative within the EU/UK pursuant to Article 27 of the EU GDPR and the equivalent provision under the UK GDPR. Once appointed, the representative's details will be published here and on our Site. In the interim, all data protection enquiries may be directed to privacy@difinity.ai.

1.2 Data Protection Officer

For all data protection matters, including exercising your rights under applicable data protection legislation, please contact our privacy team at privacy@difinity.ai. We will respond to all legitimate requests within the timeframes prescribed by applicable law.

2. Personal Data We Collect

We collect and process personal data in several contexts. The categories of personal data we collect depend on how you interact with our Services.

2.1 Account and Registration Data

When you create an account, request a demo, or register for our Services, we collect: your name, business email address, job title, company name, company size, industry, country of residence, telephone number (if provided), and your chosen authentication credentials.

2.2 Platform Usage Data

When you use the Difinity Platform, we process data necessary to provide the Services, including: AI request and response metadata (timestamps, model identifiers, routing decisions, policy enforcement actions), audit trail records (policy decisions, compliance events, content filtration actions), use case configurations and policy settings, PII detection and redaction logs (noting that redacted content is not stored in identifiable form), and system performance and error data.

2.3 Data Processed on Behalf of Customers (Processor Role)

When our enterprise customers use the Difinity Platform to govern their AI interactions, we act as a data processor on their behalf. In this capacity, we process data submitted to the Platform by or on behalf of our customers ("Customer Data"), which may include personal data contained within AI prompts and responses that transit through Difinity Flow. The nature and categories of Customer Data are determined by the customer and governed by our Data Processing Agreement ("DPA").

Important: Difinity's PII Detection and Redaction features are specifically designed to detect and mask personal data before it is transmitted to external LLM providers. When PII Redaction is enabled, personally identifiable information is automatically detected and redacted prior to any data leaving the customer's governance boundary. The Difinity Platform does not store unredacted Customer Data once the redaction process is complete.

2.4 Website and Marketing Data

When you visit our Site, subscribe to our newsletter, download resources, or interact with our marketing content, we collect: your name and business email address, information provided through forms (including consent records, opt-in timestamps, and IP addresses), device and browser information (user agent, screen resolution, operating system), IP address (truncated and anonymised where technically feasible), pages visited, referring URLs, and click and engagement data.

2.5 Communication Data

When you contact us via email, our website contact forms, or other communication channels, we collect the content of your communications, your contact details, and any attachments or additional information you choose to provide.

2.6 Cookies and Tracking Technologies

We use strictly necessary cookies to enable core Site functionality. We do not use third-party advertising cookies. Analytics data is collected only with your explicit consent where required by applicable law. Our cookie consent mechanism defaults to "reject all" and provides granular controls. For full details, see our Cookie Policy available on our Site.

3. Legal Bases for Processing

We process personal data on the following legal bases under the EU GDPR and UK GDPR:

3.1 Performance of a Contract (Article 6(1)(b))

Processing necessary to provide the Services to you under our Terms of Service or a negotiated enterprise agreement, including account creation, Platform access, service delivery, billing, and technical support.

3.2 Consent (Article 6(1)(a))

Where you have provided explicit, informed consent — for example, subscribing to our newsletter, downloading gated content, or opting into analytics tracking. You may withdraw consent at any time by contacting privacy@difinity.ai or using the unsubscribe mechanism provided in each communication. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

3.3 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include: improving and securing our Services, conducting business analytics, preventing fraud and abuse, and communicating about products and services relevant to your business needs. You have the right to object to processing based on legitimate interests.

3.4 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations to which we are subject, including tax reporting, financial recordkeeping, regulatory compliance requirements, and responding to lawful requests from authorities.

3.5 Additional Bases — Australian Privacy Act

Under the Australian Privacy Act 1988 (Cth), we collect and use personal information only where it is reasonably necessary for, or directly related to, one or more of our functions or activities, and only by lawful and fair means. We comply with the Australian Privacy Principles (APPs) and will not collect sensitive information without your consent unless an exception applies.

3.6 Additional Bases — CCPA/CPRA (United States)

Under the CCPA/CPRA, we collect personal information for the business and commercial purposes described in this Privacy Policy. We do not sell personal information, and we do not share personal information for cross-context behavioural advertising. California residents have specific rights as described in Section 8 below.

3.7 Additional Bases — PIPEDA (Canada)

Under PIPEDA, we obtain meaningful consent for the collection, use, and disclosure of personal information. The form of consent (express or implied) depends on the sensitivity of the information and the reasonable expectations of the individual.

3.8 Additional Bases — Middle East Jurisdictions

Where our Services are accessed from jurisdictions in the Middle East, including the United Arab Emirates, the Dubai International Financial Centre (DIFC), the Abu Dhabi Global Market (ADGM), and the Kingdom of Saudi Arabia, we process personal data in accordance with the applicable data protection legislation in those jurisdictions, including the UAE Federal Decree-Law No. 45 of 2021, the DIFC Data Protection Law No. 5 of 2020, the ADGM Data Protection Regulations 2021, and the KSA Personal Data Protection Law (Royal Decree M/19 of 2021). Processing is carried out on the basis of legitimate business purposes, contractual necessity, or consent, as applicable under the relevant legislation.

4. How We Use Personal Data

4.1 To Provide and Improve the Services

We use personal data to deliver, operate, maintain, and improve the Difinity Platform, including Difinity Hub, Difinity Flow, Secure Chat, Prompt Registry, LLM Analysis, Cost Dashboard, Audit Trail, PII Redaction, and Intelligent Routing capabilities. This includes processing AI requests through our runtime enforcement gateway, enforcing compliance policies in real time, detecting and redacting PII before transmission to external LLM providers, generating audit trails and compliance reports, routing AI requests across supported providers (including OpenAI, Anthropic, Google, xAI, and DeepSeek), and providing cost attribution and performance analytics.

4.2 To Communicate with You

We use your contact information to respond to enquiries, provide technical support, send transactional communications (such as account notifications and service updates), and, where you have opted in, deliver marketing communications including AI governance insights, regulatory updates, and product information.

4.3 For Security and Fraud Prevention

We use personal data to protect the security and integrity of our Services, detect and prevent fraud, abuse, and security incidents, and enforce our Terms of Service and Acceptable Use Policy.

4.4 For Legal and Compliance Purposes

We use personal data to comply with applicable laws and regulations, respond to lawful requests from authorities, establish, exercise, or defend legal claims, and fulfil our obligations under the EU AI Act, ISO 42001, NIST AI RMF, and other applicable governance frameworks.

4.5 For Business Analytics

We use aggregated and anonymised data to understand usage patterns, improve our Products, and make business decisions. Anonymised data is not personal data and is not subject to the restrictions in this Privacy Policy.

5. How We Share Personal Data

We do not sell personal data. We share personal data only in the following limited circumstances:

5.1 Service Providers and Sub-processors

We engage trusted third-party service providers who process personal data on our behalf to support the delivery of our Services. All sub-processors are bound by data processing agreements that impose obligations substantially equivalent to those set out in this Privacy Policy. A list of our current sub-processors is available upon request by contacting privacy@difinity.ai.

5.2 LLM Providers

When you use the Difinity Platform to interact with third-party LLM providers, AI requests are routed through Difinity Flow to the selected provider. Where PII Redaction is enabled, personal data is automatically detected and masked before any data is transmitted to the LLM provider. Difinity supports multiple providers including OpenAI, Anthropic, Google, xAI, and DeepSeek. The customer controls which providers are enabled for each use case.

5.3 Legal Requirements

We may disclose personal data where required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others, or to detect, prevent, or address fraud, security, or technical issues.

5.4 Business Transfers

In the event of a merger, acquisition, reorganisation, bankruptcy, or other similar transaction, personal data may be transferred to the acquiring entity. We will provide notice before personal data is transferred and becomes subject to a different privacy policy.

5.5 With Consent

We may share personal data with your consent or at your direction.

6. International Data Transfers

Difinity.ai Pty Ltd is headquartered in Sydney, Australia. We operate infrastructure in multiple regions to serve our global customer base.

6.1 Hosting Infrastructure

The Difinity Platform is deployed across two primary hosting regions: AWS Asia-Pacific (Sydney, ap-southeast-2) for our Australian and Asia-Pacific customers, and AWS Europe (Frankfurt, eu-central-1) for our European and UK customers. Customer Data is processed and stored within the region corresponding to the customer's deployment, unless otherwise agreed in writing.

6.2 Transfer Mechanisms — EU and UK

Where personal data originating in the European Economic Area (EEA) or the United Kingdom is transferred to Australia or any other country outside the EEA/UK that has not received an adequacy decision, we implement appropriate safeguards in accordance with Chapter V of the EU GDPR and UK GDPR, including: EU Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, and Transfer Impact Assessments (TIAs) conducted in accordance with the Schrems II judgment of the Court of Justice of the European Union (Case C-311/18). Copies of these safeguards are available upon request.

6.3 Transfer Mechanisms — Australia

Where we disclose personal information to overseas recipients, we take reasonable steps to ensure the recipient handles the information in accordance with the Australian Privacy Principles, as required by APP 8. Our contractual arrangements with overseas service providers include obligations to protect personal information to a standard consistent with the Australian Privacy Act 1988.

6.4 Transfer Mechanisms — Canada

Where personal information is transferred outside Canada, we ensure a comparable level of protection through contractual commitments, as required by PIPEDA.

6.5 Transfer Mechanisms — Middle East

Where personal data originating in the UAE, DIFC, ADGM, or KSA is transferred outside those jurisdictions, we implement appropriate safeguards as required by the applicable legislation, including contractual clauses, binding corporate rules, or reliance on adequacy determinations where available.

6.6 Transfer Mechanisms — United States

We store and process personal data of US-based users in accordance with applicable US federal and state privacy laws. Where data is transferred internationally, we implement contractual safeguards to protect personal data.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, or as required by applicable law.

7.1 Account Data

We retain account data for the duration of your active account and for a period of twelve (12) months following account closure, unless a longer retention period is required by law or to resolve disputes.

7.2 Platform Data and Audit Trails

Audit trail records and compliance logs are retained in accordance with the customer's configuration and the applicable regulatory retention requirements. The default retention period for audit data is as specified in the applicable enterprise agreement or DPA.

7.3 Marketing Data

We retain marketing contact data for as long as you remain subscribed to our communications. Contacts with no engagement for twelve (12) months are automatically flagged for removal from our marketing database. Consent records (including opt-in timestamps, form URLs, consent text shown, and IP addresses) are retained for the duration of the contact relationship plus five (5) years to evidence compliance with GDPR and ePrivacy requirements.

7.4 Website Analytics Data

Anonymised website analytics data is retained for a maximum of twenty-six (26) months from the date of collection.

7.5 Communication Records

Records of support interactions and business correspondence are retained for three (3) years following the last interaction, unless a longer period is required by law.

8. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal data. To exercise any of these rights, please contact privacy@difinity.ai.

8.1 Rights Under the EU GDPR and UK GDPR

If you are located in the EEA or the United Kingdom, you have the right to: access the personal data we hold about you (Article 15); rectify inaccurate or incomplete personal data (Article 16); erase your personal data in certain circumstances (Article 17); restrict the processing of your personal data (Article 18); receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller (data portability, Article 20); object to the processing of your personal data, including for direct marketing (Article 21); not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (Article 22); and withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

You also have the right to lodge a complaint with your local supervisory authority. A list of supervisory authorities is available at https://edpb.europa.eu.

8.2 Rights Under the Australian Privacy Act

If you are located in Australia, you have the right to: request access to the personal information we hold about you (APP 12); request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information (APP 13); and lodge a complaint about our handling of your personal information with us or with the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au.

8.3 Rights Under the CCPA/CPRA (California, United States)

If you are a California resident, you have the right to: know what personal information we collect, use, disclose, and sell (if applicable); delete your personal information, subject to certain exceptions; correct inaccurate personal information; opt out of the sale or sharing of personal information (noting that Difinity does not sell or share personal information for cross-context behavioural advertising); limit the use and disclosure of sensitive personal information; and not be discriminated against for exercising your privacy rights.

To submit a request, please contact privacy@difinity.ai. We will verify your identity before processing your request. You may designate an authorised agent to make a request on your behalf.

Do Not Sell or Share: Difinity does not sell personal information and does not share personal information for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA.

8.4 Rights Under US State Privacy Laws

Residents of states with comprehensive privacy legislation (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as enacted) may have additional rights, including rights to access, delete, correct, and opt out of certain processing activities. We honour these rights to the extent required by applicable law. Please contact privacy@difinity.ai to exercise your rights.

8.5 Rights Under PIPEDA (Canada)

If you are located in Canada, you have the right to: access the personal information we hold about you; challenge the accuracy and completeness of your personal information and have it amended as appropriate; and withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions and reasonable notice. You may also lodge a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca.

8.6 Rights Under Middle East Legislation

If you are located in the UAE, DIFC, ADGM, or KSA, you may have the right to: access your personal data; request rectification or erasure of your personal data; object to or restrict the processing of your personal data; receive your personal data in a portable format; and lodge a complaint with the relevant data protection authority. Specific rights and procedures may vary by jurisdiction. Please contact privacy@difinity.ai for assistance.

8.7 Response Timeframes

We will respond to all legitimate data subject requests within the timeframes prescribed by applicable law. Under the EU GDPR and UK GDPR, this is within one (1) month, extendable by a further two (2) months where necessary. Under the CCPA/CPRA, this is within forty-five (45) days, extendable by a further forty-five (45) days. Under the Australian Privacy Act, this is within a reasonable period, generally thirty (30) days. Under PIPEDA, this is within thirty (30) days.

9. Security of Personal Data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to: encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256), access controls based on the principle of least privilege, regular security assessments and vulnerability testing, audit logging of all access to personal data, incident response and breach notification procedures, and employee security training and confidentiality obligations.

While we take commercially reasonable measures to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your personal data.

10. Children's Privacy

Our Services are not directed at individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided personal data to us, please contact privacy@difinity.ai and we will take steps to delete such data.

11. Automated Decision-Making and Profiling

The Difinity Platform includes features such as PII Detection, Bias Detection, Decision Detection, and Content Filtration that involve automated processing of data. These features operate as tools within the customer's governance framework and are configured and controlled by the customer.

Difinity does not use automated decision-making or profiling that produces legal effects concerning individuals or similarly significantly affects them, except where: processing is necessary for the performance of a contract; processing is authorised by applicable law; or the individual has given explicit consent. Where automated processing is used, customers are responsible for ensuring that appropriate safeguards are in place, including the right to obtain human intervention, express their point of view, and contest the decision.

12. Third-Party Links and Services

Our Site and Services may contain links to third-party websites or services. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access through our Site or Platform.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. We will notify you of material changes by posting the updated Privacy Policy on our Site with a revised "Last Updated" date. Where required by applicable law, we will obtain your consent to material changes. We encourage you to review this Privacy Policy periodically.

14. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of New South Wales, Australia, without regard to its conflict-of-laws principles. This does not affect your statutory rights under the applicable data protection legislation of your jurisdiction, including the EU GDPR, UK GDPR, CCPA/CPRA, PIPEDA, the Australian Privacy Act, or applicable Middle Eastern data protection laws.

Disputes arising from or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of New South Wales, Australia, except where mandatory local law requires adjudication in a different forum.

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint about our handling of your personal data, please contact us:

Privacy Enquiries: privacy@difinity.ai Legal Enquiries: legal@difinity.ai Postal Address: Difinity.ai Pty Ltd, Sydney, NSW, Australia

We will acknowledge receipt of your enquiry within five (5) business days and endeavour to provide a substantive response within the timeframes prescribed by applicable law.