This policy explains how Obsidia (Client Plus Solutions Pty Ltd) collects, uses, stores, and protects personal information in connection with the Obsidia platform.
Obsidia is an AI-powered knowledge and workflow platform operated by Client Plus Solutions Pty Ltd (ABN to be confirmed), a company incorporated in Australia. We are an APP entity under the Privacy Act 1988 (Cth) and are bound by the Australian Privacy Principles (APPs).
In this policy, "we", "our", and "us" refers to Client Plus Solutions Pty Ltd. "Platform" refers to the Obsidia application and any associated services. "Customer" refers to the organisation that has contracted with us to use the Platform. "User" refers to individuals who access the Platform through a Customer's account.
If you have questions about this policy, contact us at privacy@obsidia.com.au.
When a Customer invites a User to the Platform, we collect the User's email address, first name, and last name. We store this information in our authentication service (Supabase Auth) to verify identity and control access.
Users create content on the Platform including AI conversations, messages, uploaded documents, workflow run inputs and outputs, and prompt library entries. This content may contain personal information depending on what Users choose to include. Customers determine what content is created and are responsible for ensuring that content shared with the Platform complies with applicable laws.
We collect metadata about Platform usage including timestamps, token counts, response types, and abbreviated query and response previews. This data is used for compliance, troubleshooting, and service improvement. We do not use workspace content to train AI models.
Where Customers configure integrations (such as SharePoint or Confluence), the Platform retrieves and indexes documents from those sources. This content is stored in Obsidia's infrastructure for the duration of the connector integration and is subject to the retention defaults described in Section 04.
Where Customers enable the public engagement portal, external users (such as clients or prospects) provide their email address to access portal conversations. This information is collected on behalf of the Customer and is subject to that Customer's engagement portal privacy notice.
We use personal information to:
We do not sell personal information. We do not use workspace content to train, fine-tune, or improve AI models. We do not use personal information for direct marketing without explicit consent.
We retain different categories of data for different periods, reflecting their sensitivity and the purpose for which they were collected. The table below sets out our default retention windows. Platform administrators can configure shorter windows for their workspace through the Admin > Retention settings.
| Data class | Default retention | Notes |
|---|---|---|
| Conversations & messages | 2 years | Configurable per workspace. After expiry, hard-deleted including all messages. Covers internal AI conversations. |
| Workflow run outputs | 2 years | Configurable per workspace. Workflow steps and events are cascade-deleted with the run. |
| Engagement portal sessions | 90 days | External-user conversations from the public widget. Shorter window reflects the lower ongoing need for external prospect data. |
| AI output audit log | Indefinite (configurable) | Records abbreviated query and response previews for compliance purposes. Customers with regulatory audit requirements may set a longer window independently of the conversation retention window. |
| Uploaded documents & embeddings | Duration of workspace | Deleted when the document is removed by an admin or when the workspace is deleted. Embeddings cascade-delete with the source document. |
| Prompt library entries | No automatic deletion | Customer-authored knowledge assets. Deletion is an explicit admin action, not time-based. |
| User profiles (active) | Duration of account | Retained while the user is active on the Platform. |
| User profiles (deactivated) | 90 days after deactivation | On deactivation, PII (email, name) is archived internally for 90 days to allow dispute resolution and re-activation. After 90 days, PII is permanently anonymised and the archive is deleted. The user's internal identifier is retained indefinitely for audit log integrity but contains no personal information after anonymisation. |
| Security & governance audit log | Indefinite | Records of administrative actions (invitations, role changes, deactivations). Retained for the life of the Platform for compliance and incident response purposes. |
A scheduled job runs nightly and hard-deletes data that has passed its retention window. Purge activity is logged (row counts only — no content) and is visible to Platform administrators in the Admin > Purge Audit panel. No deleted content is recoverable after the purge job runs.
We implement technical and organisational measures to protect personal information including:
We conduct security reviews as part of our development process. For our full security documentation, contact security@obsidia.com.au.
We use a limited number of sub-processors to deliver the Platform. Our sub-processor register sets out the name, purpose, and data location of each processor. All sub-processors are subject to contractual data processing obligations consistent with Australian privacy law.
Where data is processed outside Australia (for example, AI inference via Anthropic), it is subject to contractual protections including DPA review and no-training commitments. Our Overseas Disclosure Register lists every overseas recipient and documents the reasonable steps taken under APP 8 before each disclosure. The Compliance tier uses Australian-hosted AI inference (AWS Bedrock, Sydney region) where regulatory requirements demand it.
We do not transfer personal information overseas for any purpose other than service delivery.
Under the Australian Privacy Act, you have the right to:
Users should first contact their organisation's Platform administrator, who can export or correct information through the Admin panel. Direct requests to Obsidia can be made at privacy@obsidia.com.au. We will respond within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
We may update this policy from time to time to reflect changes to the Platform or applicable law. Material changes will be communicated to Customers by email at least 14 days before they take effect. The effective date at the top of this page reflects the most recent version.
Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
For privacy enquiries, data access requests, or complaints: