AccuFind Logo

Privacy Policy

Effective date: 20 February 2026

AccuFind Pty Ltd (ABN 29 685 235 634) ("AccuFind", "we", "us", "our") is committed to protecting your personal information. This policy explains how we collect, use, store, and disclose personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Privacy Officer: privacy@accufind.ai

1. Scope

This policy applies to:

  • The accufind.ai website
  • AccuFind Law — our AI-powered legal research platform (SaaS)
  • PolicyDNA — our professional services engagement for policy analysis

AccuFind acts as a data controller for customer account and contact information. When our clients upload documents or submit queries through our platforms, AccuFind acts as a data processor on behalf of the client organisation.

2. Information We Collect

AccuFind Law (Virtual Assistant)

  • Account data: email address, name, organisation, and department — collected at account creation or received from your employer's identity provider (e.g. Azure Entra ID, Okta) via SAML federation
  • Research queries and responses: the questions you ask and the AI-generated answers, stored in audit logs
  • Usage data: search mode, jurisdiction selections, timestamps, and session metadata
  • Feedback: thumbs-up/down ratings and optional comments you provide on responses
  • Preferences: theme, font size, and preferred jurisdictions
  • Technical data: IP address and browser type, logged with each query

PolicyDNA (Professional Services)

  • Client policy documents uploaded for analysis, processed within AccuFind's AWS Sydney tenant
  • Analysis outputs: scored reports, findings, and recommendations
  • PolicyDNA processes organisational documents only — no end-user personal data is collected

Website (accufind.ai)

  • Google Analytics: anonymised usage data such as pages visited, search mode type, and jurisdiction selections. No query text is sent to Google.
  • We do not use cookies for authentication. Sessions use browser sessionStorage, which is cleared when you close the tab.

3. How We Use Your Information

  • Delivering and operating our services
  • Processing and responding to your research queries via AI
  • Generating audit logs for security and compliance
  • Improving service quality using aggregated, anonymised data only
  • Communicating about your account and service updates
  • Marketing communications (with your consent only — you can opt out at any time)

We do not use your queries, responses, or documents to train AI models.

4. AI Processing

All AI processing uses Amazon Bedrock hosted in the AWS Sydney region (ap-southeast-2). No data is sent to AI providers outside Australia.

  • AI models used: Anthropic Claude (via AWS Bedrock), Amazon Nova, and custom embedding models on AWS SageMaker — all within the Sydney region
  • No model training on your data: AWS Bedrock's terms prohibit the use of customer inputs and outputs for model training
  • PII detection: queries are automatically scanned for personal information before AI processing. Detected PII is redacted before being sent to AI models.
  • Not legal advice: AI outputs are not legal advice and should not be relied upon without human review

5. How We Share Your Information

  • AWS (Amazon Web Services): our infrastructure provider. All data is processed and stored in the AWS Sydney region under AWS's Data Processing Agreement.
  • Google Analytics: anonymised website usage data only (no query text, no personal identifiers). Google may process this data in the US.
  • Your employer / identity provider: for federated login, we receive identity assertions from your organisation's identity provider. We do not share data back.
  • Payment processors: billing information for paid subscriptions.

We do not sell personal information or share it with advertising networks. We may disclose information if required by law or valid legal process.

6. Data Sovereignty

  • All production data is processed and stored exclusively within the AWS Sydney region (ap-southeast-2), Australia
  • AWS Service Control Policies prevent data from leaving the Sydney region
  • AI model inference occurs within Australia via AWS Bedrock regional endpoints
  • The only exception is Google Analytics website data, which may be processed by Google in the US. This does not include any query text or document content.

7. Data Security

  • Encryption at rest: AES-256 via AWS KMS for all databases and storage
  • Encryption in transit: TLS 1.2+ for all connections
  • Authentication: AWS Cognito with PKCE OAuth 2.0, optional multi-factor authentication (TOTP)
  • Access controls: IAM-based, principle of least privilege
  • Audit logging: immutable audit trail of all system access
  • Multi-tenant isolation: enforced at application, database, and infrastructure layers
  • Account provisioning: self-registration is disabled — all user accounts are provisioned by organisational administrators
  • Regular security assessments and penetration testing

8. Data Retention

Data typeRetention period
Audit logs (queries and responses)7 years
User account dataDuration of account + 30 days after deletion request
PolicyDNA client documentsDeleted within 30 days of engagement completion, or as agreed per contract
Feedback submissions2 years
Website analytics14 months (Google Analytics default)
Financial / billing records7 years (ATO requirement)
System logs (CloudWatch)30–90 days

9. Your Rights

Under the Australian Privacy Principles, you have the right to:

  • Access your personal information (APP 12) — we will respond within 30 days
  • Correct inaccurate or out-of-date information (APP 13)
  • Request deletion of your information, subject to any legal retention obligations
  • Withdraw consent for marketing communications at any time
  • Complain to us, or to the Office of the Australian Information Commissioner (OAIC)

New Zealand users: you have equivalent rights under the Privacy Act 2020 (NZ). Complaints may also be directed to the NZ Privacy Commissioner.

10. Notifiable Data Breaches

AccuFind complies with the Notifiable Data Breaches scheme (Part IIIC, Privacy Act 1988). If we become aware of an eligible data breach, we will:

  • Notify affected individuals and the OAIC as required by law
  • Notify affected client organisations promptly

11. Cookies and Tracking

  • Authentication: no cookies are used for authentication. Sessions are managed via browser sessionStorage, which is cleared when you close the tab.
  • Preferences: localStorage stores UI preferences only (dark mode, font size, disclaimer acceptance). No personal data is stored in localStorage.
  • Analytics: Google Analytics 4 collects anonymised usage patterns. No query text or personal identifiers are sent. You can opt out via your browser settings or Google's opt-out extension.

12. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete that information.

13. Changes to This Policy

We will post updates to this page with a revised effective date. Material changes will be communicated via email or in-app notification.

14. Contact and Complaints

If you have questions about this policy or wish to exercise your privacy rights, please contact us:

If you are not satisfied with our response, you may contact:

  • Office of the Australian Information Commissioner (OAIC): oaic.gov.au | 1300 363 992
  • NZ Privacy Commissioner: privacy.org.nz | 0800 803 909