Legal
This Privacy Policy explains how OramisAI Pty Ltd (ABN 54 693 539 936) collects, uses, and handles personal information in connection with our website and AI governance software. It is issued in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
OramisAI Pty Ltd (ABN 54 693 539 936) trading as OramisAI ("OramisAI", "we", "us" or "our") is an Australian artificial intelligence software and governance technology company. We develop and license a customer-configurable AI governance platform and related software products (the "Software") that enables enterprise and government customers to deploy, manage and govern AI capabilities within their own controlled environments.
This Privacy Policy ("Policy") applies to personal information that OramisAI collects and handles in connection with: (a) the operation of our website at www.oramisai.com (the "Site"); (b) the provision of our Software, support services and professional services (collectively, the "Services"); and (c) our general business operations.
This Policy is issued in accordance with the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs").
Important — Customer-Controlled Deployments: OramisAI primarily functions as a software provider and governance layer. In many deployment configurations, OramisAI does not routinely access, process, or retain the data uploaded, processed, or generated by customers within their own environments, except where operationally necessary to deliver contracted services or as expressly authorised by the customer. Customers and their end users are responsible for their own compliance with applicable privacy and data protection laws in connection with data they upload or process using the Software.
This Policy applies to personal information OramisAI collects, holds, uses and discloses in the course of its own operations as a software vendor. It applies to:
This Policy does not govern or describe how OramisAI's customers process personal information of their own end users within the Software. Where OramisAI processes personal information on behalf of a customer under a data processing agreement ("DPA") or equivalent arrangement, the terms of that DPA prevail over this Policy to the extent of any inconsistency.
OramisAI operates as a software provider and AI governance layer. The Software is designed to be deployed in customer-controlled and customer-configurable environments. Depending on the deployment model selected by the customer, the Software may operate:
In these deployment configurations, OramisAI acts as a software licensor and service provider. The customer retains ownership of and control over all data uploaded to, processed within, or generated by the Software in their environment. OramisAI does not routinely access customer environments, data repositories, or AI outputs. Any access is limited to what is operationally necessary to provide contracted technical support, where expressly permitted by the customer, or where required by law.
"Personal information" has the meaning given to it in the Privacy Act: information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in material form or not.
We collect personal information that you provide to us when you:
When you visit our Site or use our Services we automatically collect certain technical information including IP address and approximate geolocation, browser type and operating system, pages viewed and navigation paths, referring URLs and exit pages, session identifiers and authentication logs, and platform usage metadata.
Platform usage metadata collected for service improvement and support purposes is aggregated and de-identified where possible. We do not use customer-uploaded data or customer AI outputs for the purpose of improving our Software without the express written consent of the relevant customer.
We may receive personal information from third parties including integration partners, identity verification providers, payment processors, and publicly available sources where lawfully permitted.
OramisAI does not intentionally collect sensitive information through its own Site or business operations. If you voluntarily provide sensitive information in the course of a support request or other direct communication, we will handle it in accordance with this Policy and the APPs.
All data that a customer uploads to, processes within, or generates using the Software ("Customer Data") remains the exclusive property of that customer. OramisAI does not claim any ownership rights, licence or interest in Customer Data beyond the strictly limited operational access described in Section 5.2.
OramisAI does not, by default, access, view, use or process Customer Data. Limited access may occur only in the following circumstances:
OramisAI does not use Customer Data — including customer prompts, AI outputs, uploaded documents, memory stores, or enterprise knowledge bases — to train, fine-tune, benchmark or improve OramisAI's own AI models or software products. This prohibition applies by default across all deployment configurations.
Customers are solely responsible for ensuring that any personal information or other data they upload to, process within, or instruct the Software to handle has been collected lawfully and may be processed in accordance with applicable law, including the Privacy Act 1988 (Cth) and the APPs.
The Software provides configurable data retention settings. Customers may set their own retention periods for prompts, outputs, audit logs, memory stores and other data elements. Customers may initiate deletion of their data at any time through the platform's administrative controls or by submitting a written request to OramisAI.
Where supported by the customer's deployment configuration, customers may supply and manage their own encryption keys (BYOK architecture). In such configurations, OramisAI does not by default hold or access the customer's encryption keys.
The Software includes configurable audit logging features covering user activity, access events, data processing actions and governance decisions within the customer's environment. Audit log retention periods and export options are configurable by the customer.
OramisAI uses personal information collected through its own Site and business operations for the following purposes:
OramisAI does not use personal information to build individual behavioural profiles for third-party advertising, nor does it sell personal information to third parties.
We engage carefully selected third-party service providers to support our business operations. These may include cloud infrastructure providers, payment processors, customer relationship management platforms, support and helpdesk tools, identity and access management providers, and business analytics services. All such providers are bound by contractual obligations to process personal information only on our documented instructions.
We may disclose personal information to our lawyers, accountants, auditors, insurers and other professional advisers where necessary for the conduct of our business, subject to confidentiality obligations.
In the event of a merger, acquisition, restructure, capital raising, asset sale or insolvency event, personal information may be disclosed to counterparties, investors and their advisers on a confidential basis.
We may disclose personal information where required or authorised by law, including to law enforcement, courts, regulatory bodies and government authorities in response to lawful requests or court orders.
We may disclose personal information to any other third party where you have given explicit consent to that disclosure.
Some of the third-party service providers that support OramisAI's own business operations are located overseas, including in the United States and other jurisdictions. As a result, personal information that OramisAI collects through its Site and business operations may be transferred to and processed in countries outside Australia.
Before disclosing personal information to overseas recipients, OramisAI takes reasonable steps to ensure that personal information is handled consistently with the APPs, including through contractual protections and data transfer mechanisms appropriate to the circumstances.
For customers with data residency requirements, the Software supports deployment in customer-selected regions and cloud environments. Customers may configure the Software to ensure that Customer Data does not leave a specified geographic region. OramisAI does not, by default, transfer or replicate Customer Data across geographic regions except as instructed by the customer, as operationally necessary under a contracted service, or as required by law.
OramisAI implements and maintains reasonable technical, organisational and administrative security measures designed to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. Our measures include:
In the event of a data breach affecting personal information held by OramisAI in its own systems that is likely to result in serious harm, we will comply with our obligations under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act, including notifying the Office of the Australian Information Commissioner (OAIC) and affected individuals as required.
Our Site uses cookies and similar tracking technologies to support Site functionality, measure performance and improve user experience. You may configure your browser to refuse or manage cookies. Please refer to our Cookie Policy for further information and opt-out options.
Personal information collected by OramisAI through its own operations is retained for as long as necessary for the purposes for which it was collected, or as required by applicable law. When personal information is no longer required, we take reasonable steps to destroy or de-identify it securely. For Customer Data, retention and deletion are governed by the customer's own configurable settings and the applicable service agreement.
You may request access to personal information OramisAI holds about you. We will respond within 30 days. We may decline access where required or authorised by law.
If you believe personal information we hold is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us to request a correction. We will respond within 30 days.
You may withdraw consent to receive marketing communications at any time by using the unsubscribe mechanism in any marketing email, adjusting your account preferences, or contacting us.
Where lawful and practicable, we will offer the option to interact with us anonymously or by pseudonym.
You may request deletion of your personal information where we are not required to retain it by law, contract, or for legitimate operational purposes.
Where your personal information is held within a customer's deployment of the Software, you should direct access, correction or deletion requests to the relevant OramisAI customer. The customer is the data controller for that environment.
OramisAI's platform is designed to meet the data governance, security and sovereignty requirements of enterprise and government customers. Key features available for enterprise deployments include single-tenant or on-premises deployment, configurable data residency, BYOK encryption, BYOM integration, RBAC, SSO, comprehensive audit logging, and no default use of Customer Data for AI model training. Data processing agreements (DPAs) are available on request.
Our Site and Services are not directed at individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently received personal information from a person under 18, we will take steps to delete it promptly.
We reserve the right to amend this Policy at any time. The updated Policy will be published on our Site with a revised effective date. Where we make material changes, we will notify registered users by email or via a notice on the Site prior to the change taking effect.
If you believe OramisAI has breached the APPs or your rights under this Policy, you may lodge a complaint with our Privacy Officer. Please mark your communication "Privacy Complaint - Confidential". We will acknowledge receipt within 5 business days and aim to provide a substantive response within 30 days.
If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.
To the maximum extent permitted by Australian law, OramisAI shall not be liable for any indirect, incidental, special, consequential or punitive loss or damage arising out of or in connection with any collection, use, disclosure, or security incident involving personal information held within a customer-controlled deployment of the Software; any breach or data loss caused or contributed to by a customer, end user, or third party; or a customer's failure to configure the Software in accordance with applicable law. Nothing in this Policy is intended to exclude any rights under the Australian Consumer Law.
This Policy is governed by the laws of New South Wales, Australia, and applicable federal Australian laws. Any disputes shall be subject to the exclusive jurisdiction of the courts of New South Wales and the Federal Court of Australia.