Ernie AI Privacy Policy and Data Processing Addendum

Last Updated: Nov 16, 2025

This Privacy Policy and Data Processing Addendum (Policy) explains how Ernie AI Pty Ltd (ACN 692 665 099) (Ernie AI, we, us, our) collects, uses, discloses, and protects information when you visit our website, create an account, or use our Services.

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

We recognise that customers may be subject to privacy laws such as the EU and UK GDPR and the CCPA. Nothing in this Policy should be read as a representation that our Services fully comply with those laws. Customers are responsible for determining whether their use of the Services meets their own legal and regulatory obligations.

2. Scope

This Policy applies to:

  • the Ernie AI website

  • the Ernie AI chatbot platform, APIs, and associated tools

  • any feature, dashboard, or customer portal we provide

By using our Services, you agree to this Policy. If you use the Services for a business, you confirm you have authority to bind that business.

3. Definitions

Customer Data – information, content, or data you or your End Users provide through the Services, including chatbot inputs, outputs, and conversation logs.
Personal Data / Personal Information – information about an identifiable individual under applicable privacy laws.
Service Data – technical and operational data generated by the Services, including diagnostic logs, usage analytics, performance metrics, and security events.
Subprocessor – a third-party provider engaged by Ernie AI to process data on its behalf.

4. Data Security

We apply reasonable technical and organisational measures appropriate for a cloud-based SaaS product, including:

  • encryption in transit and at rest

  • access controls and role-based permissions

  • logging and monitoring

  • standard incident-response processes provided through our hosting and infrastructure partners

Customer Data is primarily stored in Australian data centres when handled by us directly.

Some processing may occur in other regions if required by our subprocessors (including OpenAI), who may operate infrastructure outside Australia.

We rely on the security controls of AWS, OpenAI, and other providers we use.

We require staff and subprocessors to comply with confidentiality and security obligations.

5. Information We Collect

Information You Provide

  • Business name and website

  • Account and contact details

  • Billing information

  • Chatbot inputs, outputs, and conversation logs (Customer Data)

  • Support requests, emails, and feedback

Automatically Collected Information

  • Website telemetry, cookies, device and browser data

  • Usage metrics and diagnostic logs

  • Basic IP and activity data to maintain system integrity

  • Basic referral attribution data generated through our affiliate provider (RefGrow), including a referral code stored via the refgrow_ref_code cookie when users click affiliate links

The embedded Ernie AI chatbot does not use cookies or third-party trackers.

6. How We Use Information

We use Customer Data and Service Data to:

  • provide and maintain the Services

  • operate infrastructure and hosting

  • improve accuracy, performance, and reliability

  • monitor system health and security

  • detect misuse or fraud

  • contact you for support, account management, and billing

  • comply with legal obligations

  • generate aggregated, de-identified analytics

We do not sell Personal Data.

We may use aggregated or de-identified data for analytics, product improvement, and quality assurance. We do not attempt to re-identify aggregated or de-identified data.

7. Data Retention

We retain Customer Data for as long as needed to:

  • operate the Services

  • maintain security

  • troubleshoot issues

  • improve functionality and reliability

We do not currently delete or de-identify all conversation logs within a fixed timeframe (such as 60 days).

If you close your account, we take reasonable steps to remove or de-identify Customer Data when it is no longer needed for operational, legal, or security purposes.

If you require specific retention settings for lawful or contractual reasons, contact support@heyernie.ai to discuss available options.

8. Subprocessors and International Transfers

We use subprocessors, including cloud hosting providers and AI infrastructure providers, to deliver the Services.

A current list of subprocessors is available here.

Subprocessors may process data in Australia or overseas locations depending on their infrastructure design.

We impose contractual confidentiality and data-protection requirements that are appropriate for the Services, but subprocessors may not have obligations identical to ours.

We do not apply or rely on Standard Contractual Clauses (SCCs).

Your use of the Services constitutes consent to overseas processing where required to deliver the Services.

9. Roles and Responsibilities

Data Type

Ernie AI Role

Description

Customer Data

Processor

We process Customer Data only to provide, secure, and maintain the Services. You act as the Controller.

Service Data

Controller

We use Service Data to operate, secure, and improve the Services.

10. Your Responsibilities as Controller

If you deploy Ernie AI on your website or platform, you are responsible for:

  • giving End Users any privacy notices required by law

  • obtaining consent where needed

  • ensuring Customer Data was collected lawfully

  • choosing the lawful basis for processing

  • managing End-User requests (access, correction, deletion)

  • notifying us if our help is required to meet a legal obligation

  • ensuring your use of the Services complies with privacy, data protection, spam, and consumer laws

You must not use the Services to intentionally collect sensitive information (such as health data, biometric data, financial account numbers, or children’s data) unless legally permitted and technically appropriate.

11. Our Commitments as Processor (DPA)

When acting as a data processor for Customer Data, we will:

  • process Customer Data only to provide the Services and follow your documented instructions

  • keep Customer Data confidential

  • apply reasonable security measures as described in this Policy

  • assist you with data-subject or regulatory requests where legally required

  • notify you without undue delay if we confirm a data breach involving Customer Data

  • engage subprocessors under written agreements

  • discontinue or delete Customer Data when no longer needed, except where retention is required by law or legitimate operational need

Our obligations under this DPA are subject to the liability limits in the Ernie AI Terms of Service.

12. Lawful Bases for Processing

We process Personal Data under several lawful bases, depending on context:

  • Contract performance – to deliver and support the Services

  • Legitimate interests – to operate, secure, and improve the platform

  • Consent – for marketing where you opt in

  • Legal obligation – where required under applicable law

We do not rely on legitimate interests where applicable law requires consent.

13. Sharing and Disclosure

We may share data with:

  • subprocessors involved in hosting, AI processing, and operations

  • regulators or authorities when required by law

  • potential acquirers or successors in the event of merger or restructure (subject to confidentiality)

We do not sell or rent Customer Data.

14. Your Rights

Depending on your jurisdiction, you may request:

  • access to your Personal Data

  • correction of inaccurate Personal Data

  • deletion (where legally permitted)

  • restriction or objection to processing

  • withdrawal of consent where consent was the basis

Contact support@heyernie.ai to submit a request.
We will respond within applicable legal timeframes.

For End Users interacting with customer chatbots, the relevant Controller (the business operating the chatbot) must manage the request.

15. Security and Incident Response

We maintain monitoring and incident-response processes appropriate for a cloud SaaS service.

If we confirm a breach likely to cause serious harm, we will notify affected customers and regulators where required by law.

Both parties must cooperate in investigating and mitigating incidents.

16. Cookies and Analytics

Our website uses cookies for functionality, security, performance, analytics, and affiliate referral tracking. 

When a visitor clicks an authorised affiliate link, our affiliate program provider RefGrow sets a small cookie named refgrow_ref_codeto record the referral source. The cookie stores a basic referral code only. It does not contain personal information, and it does not track behaviour across other websites.

You can disable cookies in your browser settings, but some features, including referral attribution and certain site functions, may not work as intended.

The embedded Ernie AI chatbot does not use cookies or third-party trackers.

17. Children

The Services are not intended for individuals under 18.

If we become aware that we have collected such data, we will delete it promptly.

18. Business Transfers, Sale, or Closure

If we merge, restructure, or transfer our business, we may transfer data to a successor subject to equivalent protections, or delete or de-identify data where required by law.

19. Changes to This Policy

We may update this Policy at any time.

Where updates materially affect your rights, we will give at least 30 days’ notice.

Continued use of the Services after the effective date constitutes acceptance.

20. Contact Us

Ernie AI Pty Ltd
Email: support@heyernie.ai