Privacy Policy

TW AI Pty Ltd (ACN 697 524 771, ABN 70 697 524 771), trading as Totally Wild AI, with registered office in Brisbane, Queensland, Australia (Totally Wild AI, we, us), is the entity responsible for personal information handled in connection with totallywild.ai, the Totally Wild AI platform at app.totallywild.ai, and our related services (the Service).

We are an "APP entity" under the Privacy Act 1988 (Cth) and we comply with the Australian Privacy Principles (APPs). For New Zealand individuals, we comply with the Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs). Where the GDPR or UK GDPR applies (for example, if you are based in the EU/UK), we comply with those laws too.

In this policy:

• We act as a data controller for personal information about website visitors, prospects, and Account holders.
• We act as a data processor ("on behalf of a customer") for any personal information embedded in content a customer uploads into the platform. Our customer remains the controller and is primarily responsible for your rights as an end-user.

This policy is freely available; alternative formats are available on request from privacy@totallywild.ai.

We collect the following categories of personal information:

1. Account information. Email address; password (stored only as a PBKDF2 hash, never in plain text); optional TOTP two-factor secret (stored encrypted); display name and role.
2. Session and authentication data. Refresh tokens (stored in Cloudflare D1 at the edge), login timestamps, device and user-agent metadata, and IP address at sign-in.
3. Technical / device data. IP address, browser type, operating system, language, referrer, and request logs (CloudWatch and Cloudflare edge logs).
4. Anti-bot signals. When you sign up or request a password reset, Cloudflare Turnstile processes your IP, TLS fingerprint, user-agent, and browser characteristics to score bot-likelihood. Turnstile does not use cookies and Cloudflare cannot directly identify you from these signals.
5. Customer-uploaded content. Business requirements documents, prompts, code, files, and any personal information embedded in them. We do not require you to submit personal information and ask you not to paste sensitive personal information unless your contract specifically authorises it.
6. AI-generated outputs. Architecture artefacts, generated code, conversation transcripts.
7. Billing data. A minimal billing contact (name, email, address). Card data is not stored by Totally Wild AI; it is handled by our payment processor.
8. Support communications. Emails, chat transcripts and any information you give us when you ask for help.
9. Marketing / website data. Aggregate page view data via Vercel Analytics (cookieless, hashed visitor IDs that auto-discard after 24 hours), and any newsletter sign-ups you initiate.

Sensitive information. We do not solicit and do not knowingly collect "sensitive information" within the meaning of section 6 of the Privacy Act 1988 (Cth) or "special category data" under Article 9 of the GDPR (health, racial or ethnic origin, religious belief, sexual orientation, criminal record, biometric or genetic information, etc.). See Section 14.

We collect personal information:

• Directly from you when you sign up, upload content, contact us, or interact with our website;
• Automatically when you use the Service — via cookies and local storage (session and refresh tokens, theme preference), server logs, Cloudflare edge logs, Vercel Analytics, and Cloudflare Turnstile on form submission;
• From third parties — our payment processor (when you pay), any single-sign-on identity provider you choose to use in future, and content uploaded by our customers that contains personal information about third parties. For information collected indirectly through a customer, we rely on the customer's representation that they have lawful basis and authority to provide it.

We collect by lawful and fair means and, where reasonably practicable, directly from you (APP 3.5–3.6, NZ IPP 2 and IPP 4).

We collect, use, and disclose personal information only for the purposes set out below. Where the GDPR applies, the lawful basis under Article 6 is shown in brackets.

• Creating and authenticating your Account, and providing the Service (Art. 6(1)(b) — contract).
• Processing customer-uploaded content through LLMs to produce architecture documents, code and project plans (Art. 6(1)(b) — contract; we act as processor for third-party personal information embedded in content).
• Billing and collecting payments, and complying with tax and corporate-record obligations (Art. 6(1)(b) and Art. 6(1)(c)).
• Security, fraud prevention, abuse detection, and Turnstile bot scoring (Art. 6(1)(f) — legitimate interests in protecting the Service and our customers).
• Service-related notifications including password reset, signup confirmation, and an internal new-signup notification to our admin@ inbox (Art. 6(1)(b)).
• Product improvement, debugging, and aggregated analytics (Art. 6(1)(f)).
• Marketing about similar products to existing business customers, with an opt-out (Art. 6(1)(f) and APP 7 — consistent with reasonable expectations).
• Compliance with Australian, NZ, EU, UK or other law, including the Notifiable Data Breaches scheme and lawful disclosure under court orders (Art. 6(1)(c)).

No automated decisions of legal or significant effect. The Service generates outputs for our customer's review; we do not make automated decisions about you within the meaning of Article 22 of the GDPR or the new automated decision-making transparency rules introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth) (effective 10 December 2026). If we ever start using personal information in such decisions, we will update this policy and seek any required consent.

Day-to-day, we use personal information to:

• authenticate sessions via refresh tokens stored in Cloudflare D1;
• send service-critical email (password reset, security alerts, billing) via a Cloudflare Worker calling our email provider;
• send a new-signup notification to admin@totallywild.ai including your email address, IP and user-agent — this is internal operational use, not marketing;
• forward your prompt content to our LLM providers (currently Anthropic and OpenAI; possibly others as we evolve the Service) for output generation — see Section 8;
• store prompt and response logs for your audit and abuse-prevention purposes per the retention schedule in Section 11.

We disclose personal information to a small number of carefully-vetted third parties (sub-processors) that help us deliver the Service. Our current sub-processors are:

The current and authoritative list lives at totallywild.ai/subprocessors. We will give reasonable advance notice of any new or changed sub-processor (typically 30 days where practicable).

We may also disclose personal information to: (a) our staff and contractors bound by confidentiality; (b) our professional advisers (legal, accounting, audit); (c) regulators, law-enforcement and courts where required by law; and (d) a successor in connection with a merger, acquisition or restructure (subject to confidentiality obligations).

Application data is primarily hosted in AWS ap-southeast-2 (Sydney). Some processing — particularly LLM inference — happens in the United States or other regions where our sub-processors operate. We are accountable under APP 8 for the way overseas recipients handle personal information disclosed to them and require each sub-processor by contract to handle personal information to a standard at least as protective as this policy.

For EU and UK individuals. We transfer personal information out of the EEA / UK on the basis of: (a) the EU–US Data Privacy Framework and the UK extension thereto where the recipient is certified; and (b) the European Commission's Standard Contractual Clauses (with a Transfer Impact Assessment) or the UK International Data Transfer Addendum where it is not. Copies of the SCCs / IDTA are available on request.

For NZ individuals. We disclose personal information to overseas recipients on the basis of contractual safeguards equivalent to those required by IPP 12 and the NZ Privacy Commissioner's IPP 12 model clauses.

The Service routes your prompts to large language models hosted by Anthropic and OpenAI (and, in future, possibly other providers). The following commitments apply.

• We do not train on your data. We do not use your inputs, outputs or other Customer Data to train, fine-tune or evaluate any AI model, ours or anyone else's.
• We disable provider training on your data. We configure our calls to upstream providers to opt out of training on customer data where that setting is supported. Anthropic's commercial-tier policy at privacy.claude.com states that, by default, inputs and outputs from commercial products are not used to train Anthropic's models. OpenAI's API policy at openai.com/enterprise-privacy states that API data is not used for model training and that abuse-monitoring logs (where retained) are kept for at most 30 days, with zero-retention available for eligible enterprise customers.
• Abuse-monitoring residual. Even with training opt-outs, providers may retain prompts and outputs briefly to detect policy violations. The Anthropic and OpenAI retention windows are documented in their privacy policies; we link to the current versions on our sub-processor page.
• Sensitive data warning. Do not paste credentials, government identifiers, payment card numbers, health information, or other sensitive personal information into prompts unless your contract with us specifically authorises it.
• Internal logs. We retain prompts and outputs within our own systems for the customer's audit trail and abuse-prevention purposes per the retention schedule in Section 11.
• Outputs are AI-generated. They may be inaccurate, incomplete, or contain hallucinations. They are generated for your review and are not professional advice and not automated decisions about any individual.

We have read and consider this policy aligned with the OAIC's October 2024 Guidance on privacy and the use of commercially available AI products.

The Service and marketing site use the following:

• Strictly necessary cookies and storage: session cookies, refresh-token storage in localStorage, theme preference. These cannot be disabled without breaking sign-in.
• Cloudflare Turnstile: processes IP, TLS fingerprint, user-agent and browser characteristics for bot scoring. Turnstile does not use cookies and is not used for advertising or cross-site tracking.
• Vercel Analytics: aggregate page-view tracking on the marketing site. Cookieless. Visitor IDs are hashed and discarded after 24 hours; no cross-site profiles are built.

For visitors from the EU / UK, we will display a consent banner where required and honour withdrawal of consent. You can also clear cookies and local storage at any time via your browser controls.

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure (APP 11.1, NZ IPP 5, GDPR Art. 32). Our controls include:

• encryption in transit (TLS 1.2+) and at rest (AWS-managed KMS, RDS, S3 and EFS encryption);
• passwords stored as PBKDF2 hashes only; TOTP secrets stored encrypted; refresh tokens stored in Cloudflare D1 with restricted access;
• VPC isolation in AWS ap-southeast-2; least-privilege IAM; secrets in AWS Secrets Manager; access logging via CloudWatch;
• Cloudflare WAF, DDoS protection, and Turnstile in front of the application;
• internal access controls, staff multi-factor authentication, principle of least privilege, and a secure software-development lifecycle;
• contractual security commitments from our sub-processors;
• an incident-response process aligned with the AU Notifiable Data Breaches scheme (Pt IIIC of the Privacy Act), the NZ Privacy Act 2020 Pt 6 notifiable privacy breach regime, and GDPR Articles 33–34.

No system is fully secure. If we believe a breach is likely to result in serious harm or notifiable harm under the applicable law, we will notify the relevant regulator and affected individuals within the timeframes those laws require.

• Account data: while your Account is active and for thirty (30) days afterwards (to support restoration), then deleted or de-identified — except where retained for legal, audit or tax reasons.
• Refresh tokens / sessions: rotated regularly, revoked on logout or password change, and deleted on session expiry.
• Customer-uploaded content and prompt logs: retained for the duration of your subscription (or any longer period set out in your contract). You may request earlier deletion via the platform or by emailing privacy@totallywild.ai.
• Server / edge logs: 30–90 days for operational logs; longer for security-investigation logs where justified.
• LLM-provider abuse-monitoring: as set by the provider — typically up to 30 days at OpenAI without zero-retention; per Anthropic's published retention policy.
• Billing records: retained for the period required by Australian tax and corporations law (typically seven (7) years).
• Marketing / suppression list: we maintain a suppression list of unsubscribed addresses indefinitely so we can continue to honour the unsubscribe.
• Backups: rolling, overwritten on a cycle of up to ninety (90) days.

(a) Australia (APPs 12 and 13)

You have the right to access personal information we hold about you and to seek correction. We will respond within a reasonable time (the OAIC views thirty (30) calendar days as a reasonable benchmark). Limited grounds for refusal apply under APP 12 (for example, where access would have an unreasonable impact on the privacy of others); we will explain any refusal in writing.

(b) New Zealand (IPPs 6 and 7)

You have the right to access and correct personal information; we will respond within twenty (20) working days as required by the Privacy Act 2020 (NZ). If we decline correction, you may attach a statement of correction sought.

(c) EU / EEA / UK (GDPR and UK GDPR)

You have the rights of:

• access (Art. 15) and rectification (Art. 16);
• erasure (Art. 17);
• restriction of processing (Art. 18);
• data portability for processing based on consent or contract (Art. 20);
• objection to processing based on legitimate interests or direct marketing (Art. 21);
• withdrawing consent at any time, without affecting the lawfulness of prior processing (Art. 7(3));
• not being subject to fully automated decisions producing legal or similarly significant effects (Art. 22) — see Section 4.

We will respond within one month and may extend by up to two further months for complex requests, with notice.

(d) End-users of our customers

If your data is in content uploaded by one of our customers, that customer is primarily responsible for your rights as a data controller. Direct your requests to them and we will assist them in our role as processor.

How to exercise

Email privacy@totallywild.ai with reasonable verification of identity. We will not charge for routine requests.

We send commercial marketing only to people who have signed up, are existing business customers, or have a publicly published business address that indicates the role we are contacting them in. Every commercial email includes our legal entity name, ABN 70 697 524 771, our registered address, and a one-click unsubscribe link.

In the AU, we comply with the Spam Act 2003 (Cth); unsubscribe takes effect within five (5) business days. In NZ, we comply with the Unsolicited Electronic Messages Act 2007; unsubscribe takes effect within five (5) working days. Once you unsubscribe, we add you to a suppression list and will not re-add you without your express consent.

Service / transactional messages (password reset, billing, security alerts, signup notifications to admin@) are not marketing and continue while your Account is active.

We do not solicit and do not knowingly require sensitive information. Please do not paste sensitive personal information into prompts unless your contract with us specifically authorises it. If your customer-uploaded content nonetheless contains sensitive information, we process it strictly as a processor on the customer's instructions and under the same security and sub-processor controls described in this policy. The customer is responsible for ensuring an Article 9 GDPR / APP 3 lawful basis exists for that information.

The Service is a B2B platform intended for individuals aged sixteen (16) and over acting in a business capacity. It is not directed to children. We do not knowingly collect personal information from children under sixteen. If you believe a child has signed up, contact privacy@totallywild.ai and we will delete the Account and any personal information we have collected.

If you believe we have mishandled your personal information, please email privacy@totallywild.ai first so we can investigate and respond. We will acknowledge within five (5) business days and aim to substantively respond within thirty (30) days.

If you remain dissatisfied, you may complain to:

• Australia — Office of the Australian Information Commissioner (OAIC), oaic.gov.au, 1300 363 992.
• New Zealand — Office of the Privacy Commissioner, privacy.org.nz, 0800 803 909.
• EU / EEA — the supervisory authority of your habitual residence, place of work, or place of the alleged infringement (a directory is at edpb.europa.eu).
• UK — Information Commissioner's Office (ICO), ico.org.uk.

All privacy-related contact: privacy@totallywild.ai.
Postal address: TW AI Pty Ltd (ACN 697 524 771) trading as Totally Wild AI, Brisbane, Queensland, Australia.

We may update this policy from time to time. Material changes will be communicated by email to Account holders and an in-product banner ahead of the effective date. Non-material changes (clarifications, formatting, sub-processor list updates) will be reflected in a versioned changelog at the bottom of the policy.