Privacy policy.

§ 01 · about

About this policy

ori.tools is operated by Matthew25 AI (ABN 19 692 319 476). We are committed to protecting the privacy of personal information, including health information, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy applies to all personal information collected through our platform, including the Comply, Food Safety, and Learning modules.

§ 02 · what we collect

Information we collect

We collect the following categories of personal information:

• Identity information: Name, email address, role, job title
• Account information: Login credentials (passwords are hashed, never stored in plain text)
• Usage information: Training completion records, policy acknowledgments, compliance activity logs
• Health-related information: Where applicable, clinical documentation and care-related records as part of the Clinical module
• Uploaded content: Profile photos, certificates, training documents, policy documents

We collect personal information directly from you or your organisation's administrator when they invite you to the platform. We do not collect information from third parties without your knowledge.

§ 03 · how we use it

How we use your information

We use personal information for the following purposes:

• Providing and operating the ori.tools platform and its modules
• Authenticating your identity and managing your account
• Tracking training completion and compliance status for your organisation
• Generating AI-assisted summaries and search results from your organisation's policy documents
• Sending service notifications (training reminders, system updates)
• Improving the platform based on aggregated, de-identified usage patterns

We will not use your personal information for purposes other than those described above without your consent, except where required or authorised by law.

§ 04 · health information

Health information

Where our platform processes health information (as defined under the Privacy Act), we apply additional protections in accordance with APP 3 (collection of sensitive information). Health information is only collected with consent and is used solely for the purpose for which it was collected — typically clinical documentation, care planning, or regulatory compliance.

§ 05 · storage & security

Data storage & security

Your data is protected by the following measures:

• Data residency: All data is stored in Australia (AWS ap-southeast-2, Sydney region) via our infrastructure provider Supabase
• Encryption at rest: AES-256 encryption for all stored data
• Encryption in transit: TLS encryption for all data transmission
• Access control: Row-Level Security (RLS) ensures users can only access data belonging to their organisation
• Authentication: Multi-factor authentication (MFA) available for all accounts
• Infrastructure certification: Our infrastructure provider (Supabase) maintains SOC 2 Type II certification
• Backups: Daily automated backups with point-in-time recovery capability

§ 06 · sharing & disclosure

Data sharing & disclosure

We do not sell, rent, or trade personal information. We may share information with:

• Your organisation's administrators: Who have access to manage users, view compliance reports, and configure the platform for their organisation
• Infrastructure providers: Supabase (database hosting), Vercel (application hosting), OpenAI (AI features) — all bound by data processing agreements
• Law enforcement or regulators: Where required by Australian law or court order

In accordance with APP 8, where data is processed by overseas sub-processors (e.g. OpenAI for AI features), we take reasonable steps to ensure they handle data with equivalent privacy protections. Database storage remains exclusively in Australia.

§ 07 · retention & deletion

Data retention & deletion

We retain personal information for as long as your organisation maintains an active subscription. Upon subscription cancellation:

• Data is preserved for 90 days to allow reactivation
• After 90 days, data is archived and scheduled for permanent deletion
• Organisations may request immediate data export or deletion at any time

§ 08 · your rights

Your rights

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you (APP 12)
• Correct inaccurate or out-of-date information (APP 13)
• Request deletion of your personal information
• Withdraw consent for processing where consent was the basis for collection
• Export your data in a machine-readable format

To exercise any of these rights, contact us at privacy@ori.tools.

§ 09 · breach notification

Data breach notification

In accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act, if we become aware of a data breach that is likely to result in serious harm, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable, as required by the NDB scheme
• Notify affected individuals as soon as practicable
• Provide recommendations for steps individuals can take to protect themselves

§ 10 · ai & automation

AI & automated processing

Our platform uses AI to provide features such as policy search (RAG), document summarisation, and clinical documentation assistance. When using AI features:

• AI processes only your organisation's data — never data from other organisations
• AI-generated outputs are clearly labelled and should be reviewed by qualified staff before clinical or regulatory use
• Your data is not used to train AI models
• AI processing occurs via API calls to our providers (currently OpenAI) — data is transmitted securely and not retained by the provider beyond the request lifecycle

§ 11 · changes

Changes to this policy

We may update this privacy policy from time to time. We will notify you of material changes via email or an in-app notification. The “last updated” date at the top of this page indicates when the policy was last revised.