This policy sets out how Obsidia (Client Plus Solutions Pty Ltd) manages personal information in compliance with the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). It is distinct from our Privacy Policy, which covers specific data handling practices in detail.
Obsidia is an AI-powered knowledge and workflow platform operated by Client Plus Solutions Pty Ltd (ABN to be confirmed), a company incorporated in Australia. We are an APP entity and are bound by the Australian Privacy Principles under the Privacy Act 1988 (Cth).
In this policy, "we", "our", and "us" refers to Client Plus Solutions Pty Ltd. "Platform" refers to the Obsidia application and associated services. "Customer" refers to the organisation contracted with us. "User" refers to individuals who access the Platform through a Customer's account.
Obsidia has designated a Privacy Officer who is the first point of contact for all privacy-related matters, including access and correction requests, complaints, and NDB assessments.
The Privacy Officer is responsible for maintaining this policy, overseeing APP compliance, managing the annual review cycle, and acting as Incident Commander for NDB assessments.
When a Customer invites a User, we collect their email address, first name, and last name. This is used to verify identity and control access to the Platform.
Users create content on the Platform — AI conversations, uploaded documents, workflow run inputs and outputs, and prompt library entries. This content may contain personal information depending on what Users choose to include. Customers determine what content enters the Platform.
We collect metadata about Platform usage including timestamps, token counts, and abbreviated query and response previews. This is used for compliance, troubleshooting, and service improvement. We do not use workspace content to train AI models.
Where Customers configure integrations (SharePoint, Confluence), the Platform retrieves and indexes documents. This content is held for the duration of the integration.
Where Customers enable the public portal, external users provide their email to access portal conversations. This is collected on behalf of the Customer under that Customer's portal privacy notice.
We collect and use personal information only for the following purposes:
We do not sell personal information. We do not use workspace content to train, fine-tune, or improve AI models. We do not use personal information for direct marketing without explicit consent.
Disclosure to third parties occurs only where necessary to deliver the Platform (see our sub-processor register) or where required by law.
Under APPs 12 and 13, individuals have the right to access personal information we hold about them and to request correction of inaccurate or out-of-date information.
Users should first contact their organisation's Platform administrator, who can export or correct information through the Admin panel. The administrator can also raise a deletion request on the User's behalf.
Direct access or correction requests can be made by emailing privacy@obsidia.com.au. We will acknowledge the request within 5 business days and respond within 30 days. If we cannot provide access (for example, because doing so would reveal another person's personal information), we will explain why in writing.
If we agree information is inaccurate or out of date, we will correct it within 30 days. If we disagree, we will record your correction request alongside the information and explain our decision in writing.
If you believe Obsidia has mishandled your personal information, you can make a complaint. See our full privacy complaints procedure for the complete process, SLAs, and escalation path.
In summary: send your complaint to privacy@obsidia.com.au. We will acknowledge within 5 business days and resolve within 30 days. If you are not satisfied, you may escalate to the Office of the Australian Information Commissioner (OAIC).
Some personal information processed through the Platform is disclosed to overseas recipients as part of service delivery. This occurs for AI inference (Anthropic — USA), embeddings (Voyage AI — USA), error monitoring (Sentry — USA), and application hosting (Netlify — global CDN). Full details, including region, purpose, and reasonable-steps assessment for each recipient, are published in our Overseas Disclosure Register.
Before disclosing information to an overseas recipient, we take reasonable steps (contractual protections, DPA review, or opt-out of model training) to ensure the recipient does not breach the APPs in relation to that information, as required by APP 8.1.
For Customers with strict data residency requirements, the Compliance tier uses Australian-hosted infrastructure (AWS Bedrock, ap-southeast-2) for all AI inference and storage, with no overseas disclosure of Customer Data.
The table below summarises how Obsidia addresses each APP. The detailed mapping is maintained internally in client/docs/privacy-compliance-mapping.md.
APP 5 requires us to notify individuals at or near the time of collection. The table below lists each collection point and the notice provided.
| Collection point | What is collected | Notice method |
|---|---|---|
| User sign-up (email invitation) | Email address, name | Invitation email links to Privacy Policy; sign-up screen links to this policy |
| SSO sign-in | Email address, name (from IdP) | First-login notice displayed in app; Privacy Policy linked |
| Document upload | Document content (may include personal information) | Info tooltip on upload panel explains processing purpose and sub-processors |
| Chat / AI conversations | Message content; may include personal information depending on User input | Platform help section; Privacy Policy accessible from app footer |
| Workflow inputs | Structured inputs (client names, matter details); may include personal information | Workflow run screen links to Privacy Policy; info tooltips on sensitive fields |
| Connector configuration (M365, Confluence) | Document content from connected sources; may include personal information | Connector setup screen includes prominent notice about content indexing and sub-processors |
| Engagement portal (external users) | Email address (to access portal); conversation content | Portal entry screen displays collection notice; Customer's own privacy notice applies |
We implement technical and organisational measures to protect personal information, including:
For a full description of our security posture, see our Incident Response Plan and contact security@obsidia.com.au.