How we handle personal information.

EiGENRA (we, us, our) is an AI services practice based in Australia, operating globally. For the purposes of this policy and the Privacy Act 1988 (Cth), we act as the APP entity responsible for personal information collected through our website, lab tools, discovery enquiries, engagement intake, and the delivery of paid services.

For client engagements where the client determines the purposes and means of personal information processing, EiGENRA acts as a service provider / processor on the client's behalf. The Data Processing Addendum at /dpa sets out the additional terms that apply in that capacity.

Identity and contact information

When you submit an enquiry, book a discovery call, or sign an engagement, we collect the name, email address, organisation name, role, and any contact preferences you provide.

Engagement information

Process descriptions, organisational context, technical stack, and any documents you choose to share so we can scope or deliver an engagement.

Lab tool inputs and outputs

Free-text inputs (process descriptions, conversation messages, diagnostic answers) submitted to the tools at /lab, and the AI-generated outputs returned to you. By design, lab tools are intended for non-sensitive scoping inputs only — see the Acceptable Use Policy.

Technical and usage information

Device and browser metadata, IP address, request timestamps, referrer, page-view paths, and aggregated tool usage. Used to operate, secure, and improve the service.

Analytics

We use Google Analytics 4 (GA4) as a first-party analytics deployment to measure page views, traffic sources, and on-site interactions in aggregate. GA4 processes IP addresses to derive coarse geolocation and then discards them — full IPs are not stored. We do not run Google Ads, remarketing, or behavioural retargeting against this data. Google is a sub-processor; cross-border disclosure terms in section 08 apply. Cookie names, retention periods, and the opt-out path are documented at /cookies.

Cookies and similar technologies

A small set of strictly necessary cookies plus the GA4 first-party analytics cookies described above. Full detail at /cookies.

Sensitive information

We do not seek to collect sensitive information (as defined in s 6(1) of the Privacy Act — including health, racial, political, biometric, or genetic information). If sensitive information is provided to us inadvertently, we will delete it on request and avoid using or disclosing it.

We use personal information for these primary purposes:

• Responding to enquiries, scoping engagements, and delivering paid services
• Operating the website and the live lab tools, including incident response
• Producing fixed-price quotes, contracts, invoices, and audit-trail records
• Sending operational communications about engagements you have signed
• Improving our content, tools, and methodology — using aggregated, de-identified data wherever practicable
• Complying with our legal, regulatory, and tax obligations under Australian law

We will not use your personal information for a secondary purpose unless you would reasonably expect us to, the secondary purpose is directly related, or you have consented. We do not conduct direct marketing without an opt-in and we do not engage in profiling that produces legal or similarly significant effects.

We rely on a combination of consent, performance of a contract, our legitimate business interests in operating and improving the service, and our legal obligations. Where consent is the basis, you may withdraw consent at any time by emailing us at privacy@eigenra.com. Withdrawal does not affect the lawfulness of processing before withdrawal and does not extend to information we are required to retain by law.

By default, personal information collected through the site, the lab tools, and engagement intake is stored on Australian-region infrastructure — AWS Sydney or Microsoft Azure Australia East. Operational logs, the lead pipeline, and any generated artefacts inherit that posture unless a client expressly elects otherwise in their engagement agreement.

Specific safeguards include:

• Encryption in transit using TLS 1.2 or higher across every public endpoint
• Encryption at rest on managed datastores
• Role-based access control with least-privilege principle and multi-factor authentication for administrative access
• Just-in-time logged access for the build studio, with tamper-evident audit trails
• Vendor risk reviews and contractual data-protection terms before adopting any third-party processor
• Annual penetration test posture review and ongoing alignment with the Australian Signals Directorate's Essential Eight maturity framework

The full security posture is published at /security.

The lab tools at /lab generate output using third-party AI inference providers. Where you submit free-text inputs:

• The input is sent to the provider strictly to generate the response and is not used to train models on your data without consent
• We choose providers with enterprise-grade data-handling commitments — including no-training-on-input by default and short retention windows for abuse-monitoring purposes
• Inputs are minimised — please do not include personal information, customer data, credentials, or anything you would not paste into a search engine
• Provider routing may incur a transitory cross-border transit. We assess each provider against APP 8 reasonable-step requirements and maintain contractual safeguards

A current list of sub-processors is maintained as part of the Data Processing Addendum at /dpa.

We disclose personal information only as follows:

• To the founders and named delivery team for the engagement you have signed
• To service providers who help operate the business — hosting, payments, scheduling, communications, analytics — under contractual confidentiality and data-protection terms
• To professional advisors (accountants, lawyers, auditors) as reasonably required
• To Australian regulators or law-enforcement bodies where compelled by law or where disclosure is necessary to protect life, safety, or property
• In connection with a corporate transaction, on terms that preserve the protections in this policy

We never sell personal information.

Where a third-party processor — for example, an AI inference provider, scheduling platform, or payments provider — is located outside Australia, we take reasonable steps to ensure they handle the information consistently with the Australian Privacy Principles. This includes contractual commitments to APP-equivalent obligations, data-handling certifications, and a documented assessment of the recipient's jurisdiction. By submitting personal information you consent to such disclosure on those terms.

We retain personal information for as long as necessary for the purposes described in this policy, plus the period required by law (e.g. tax records — seven years under Australian taxation law). Lab tool inputs are retained for up to ninety days for service operation and abuse monitoring, then deleted or de-identified. Lead enquiry records are retained for up to twenty-four months from the last interaction unless you ask us to delete them sooner.

We comply with Part IIIC of the Privacy Act and the Notifiable Data Breaches scheme. If we experience a data breach that is likely to result in serious harm to one or more individuals, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, with the content required under s 26WK of the Act.

Our incident response plan is reviewed annually and rehearsed at least once per year. Suspected incidents may be reported to security@eigenra.com for investigation.

You have the right to:

• Request access to the personal information we hold about you
• Request correction of information that is inaccurate, out of date, incomplete, irrelevant, or misleading
• Withdraw consent (where consent is the basis for processing)
• Request deletion, subject to our legal retention obligations
• Lodge a complaint with us in the first instance, and with the OAIC if you remain dissatisfied — oaic.gov.au

We will acknowledge requests within seven days and respond substantively within thirty days. There is no charge for access or correction in the ordinary course.

The website and lab tools are not directed at children under sixteen. We do not knowingly collect personal information from a child under sixteen. If you believe we have, please contact us at privacy@eigenra.com and we will delete it.

Visitors and clients located in jurisdictions with comparable privacy regimes — including the European Economic Area (GDPR), the United Kingdom (UK GDPR), New Zealand (Privacy Act 2020), and equivalent — should note that we operate primarily under Australian law and Australian data residency. Where a client engagement triggers obligations under another jurisdiction, we accommodate those obligations in the engagement agreement and the DPA.

We may update this policy to reflect changes in our practices, infrastructure, or applicable law. Material changes will be highlighted at the top of this page for thirty days from the effective date. The effective date is shown at the top.

Privacy enquiries, access requests, and complaints: privacy@eigenra.com.

Security incidents and suspected breaches: security@eigenra.com.

You may also lodge a complaint directly with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.