How we collect, use, store and disclose personal information. Aligned with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
This is a starting-point privacy policy. We strongly recommend you have it reviewed by Australian privacy counsel before publishing it as your operative policy. References to "we", "us", "our" mean Travelogica Pty Ltd ACN [insert ACN], trading as Plexxa, an Australian company headquartered in Sydney, NSW.
This Privacy Policy explains how Plexxa handles personal information. It applies to information we collect through our website, the Plexxa application, our embedded widgets, our APIs, and any communications you have with us.
We are bound by the Australian Privacy Principles set out in Schedule 1 of the Privacy Act 1988 (Cth). Where we act as a processor of customer content (i.e. data uploaded by our paying customers about their own end users), the controller of that data is the customer; our obligations to that customer are set out in our Data Processing Agreement.
Name, work email address, password (stored as a hash, never in plaintext), phone (optional), profile photo (optional), the company you work for, and the role(s) you've been granted within a workspace.
Documents, web pages, data sources and other content you upload, link, or connect. If you connect a Gmail or Microsoft 365 mailbox, we access the messages on your behalf to answer your queries; we do not store the message bodies in our database. We do log metadata about which messages were accessed for the purposes of audit and rate-limiting.
Records of your use of the service: queries you ask, answers returned, which sources were cited, error events, audit logs of administrative actions, billing events, IP address, user agent, and timestamps. We retain this information for the period set out in Section 8.
If you subscribe to a paid plan, we collect billing information necessary to process payment. Card data is handled by Stripe; we never receive or store full card numbers. We retain Stripe customer IDs, invoice records and last-four card digits for tax and accounting purposes.
If you email us, fill out a form on this site, or talk to support, we keep a record of that communication and any information you choose to share.
We do not knowingly collect sensitive information (as defined in section 6 of the Privacy Act 1988) such as health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or biometric data. Please don't upload sensitive information into Plexxa unless you have a lawful basis for doing so and have configured your workspace appropriately. If you do upload it, you accept that we process it solely on your instructions as a processor under our DPA.
We collect the information described above so we can:
We collect personal information directly from you when you create an account, use the service, contact us, or upload content. We may also receive information about you from your employer (the workspace owner) if they invite you to a workspace, and from authentication providers (Google, Microsoft) when you sign in via SSO.
We use your information for the purposes described in Section 3, and for closely-related secondary purposes that you would reasonably expect — for example, sending you product updates, security notices, and billing-related communications. We will not use your personal information for direct marketing without your consent, and you can opt out of marketing emails at any time using the unsubscribe link in those emails.
We disclose personal information to:
We do not sell, rent, or trade personal information.
Some of our sub-processors are located outside Australia, including in the United States, the European Union, and the United Kingdom. Where we send personal information overseas, we take steps that are reasonable in the circumstances to ensure the recipient handles the information consistently with the Australian Privacy Principles, including by entering into Standard Contractual Clauses where appropriate.
By using Plexxa, you acknowledge that your information may be processed overseas. The current list of overseas sub-processors and their locations is in our DPA.
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure. The specific controls we have in place are described on our Security page.
That said, no internet-connected system is perfectly secure. You acknowledge and accept that you upload, link, and store content in Plexxa at your own risk. We do not guarantee against every possible failure mode, and our liability for security incidents is limited as set out in our Terms and DPA.
Retention. We keep personal information only for as long as we need it for the purposes set out in this policy, or as required by law. After your account is closed, we hold your data for 30 days (in case you change your mind) and then permanently delete it from primary storage. Backup copies age out within a further 30 days. You can request immediate deletion in writing.
You have the right to ask for a copy of the personal information we hold about you, and to ask us to correct it if it's wrong. Most account information you can see and edit yourself in your workspace settings. For anything else, email privacy@plexxa.ai and we'll respond within 30 days. We don't usually charge for these requests; if a request is unusually large or burdensome, we may charge a reasonable cost-recovery fee and tell you about it before we do.
We use a small number of cookies for essential things: keeping you logged in, remembering preferences, and protecting against CSRF. We may use a privacy-respecting analytics tool to understand which pages people visit and roughly where they're from (city-level), without tracking individuals across the wider web. We do not use third-party advertising cookies.
Plexxa uses third-party AI models to answer queries about your content. When you ask a question, the relevant snippets of your content (typically a few hundred words) are sent to a model provider (OpenAI, Anthropic, Google, or Microsoft Azure OpenAI) for inference. We send these requests with provider settings configured to exclude the request from training datasets.
We do not train AI models on your content. Our suppliers contractually commit not to train on the content they receive via our API integrations.
AI outputs may be inaccurate. Large language models can produce wrong, incomplete or outdated answers — sometimes confidently. You are responsible for reviewing every AI-generated answer before relying on it. Plexxa is a productivity tool, not a substitute for professional advice or human judgement.
Plexxa is a workplace product, not designed for or directed at children under 16. We do not knowingly collect information from children under 16. If you believe a child has provided us with personal information, please contact us and we'll delete it.
We may update this policy from time to time. The "Last updated" date at the top of this page tells you when. If we make material changes, we'll let you know by email and / or by posting a notice in the product before the change takes effect. Continued use of Plexxa after a change means you accept the updated policy.
If you have a privacy concern, please email us first at privacy@plexxa.ai. We aim to acknowledge complaints within 5 business days and respond within 30 days.
If you're not satisfied with our response, you can complain to the Office of the Australian Information Commissioner: