Privacy Policy

1. Introduction

This Privacy Policy explains how KylieBot (“we”, “us”, “our”), operated by STEM MATTERS PTY LTD (ABN 69 169 537 142, ACN 169 537 142), collects, uses, discloses, and protects your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

KylieBot is an AI-driven platform that helps scientists, technologists, researchers, and entrepreneurs articulate the impact of their work through interview-based narrative creation. By using KylieBot you agree to the collection, use, and disclosure of your personal information as described in this policy.

Privacy contact: info@kyliebot.com

2. Information We Collect (APP 3, 5)

2.1 Information you provide directly

• Account information — first name, last name, email address, organisation name (if applicable), and password (encrypted).
• Professional profile information — biography, research areas, expertise, career achievements, and short biography used in reports.
• Interview content — interview transcripts, professional stories and narratives, research descriptions, impact statements, grant application details, and career accomplishments shared during AI-assisted interviews.
• Voice recordings — audio captured during voice-based interviews. Recordings are processed by VAPI (our voice AI provider) and are not stored on KylieBot servers. VAPI retains recordings for 7 days, after which they are automatically deleted.
• User-generated content — edits to generated reports, feedback on narrative drafts, and communication with our support team.

2.2 Information we collect automatically

• Technical data — IP address, browser type and version, device type, operating system, and connection quality metrics.
• Usage data — pages visited, features used, interview session durations, report generation requests, credit usage history, login timestamps, and session activity.
• Consent records — records of when you agreed to this policy, including IP address, browser type, and policy version accepted.

3. How We Use Your Information (APP 6)

3.1 Primary purposes

• Conduct AI-driven interviews using voice technology and transcribe interview audio.
• Generate narrative content (profile pieces, impact narratives, grant narratives, and funding pitches) based on your interview responses.
• Deliver generated reports via email and the platform dashboard.
• Provide account access, user authentication, and maintain account security.
• Analyse usage patterns to improve platform functionality and fix technical issues.
• Communicate with you about your account, interviews, outputs, and service updates.
• Maintain compliance records, audit trails, and meet legal obligations.

3.2 Secondary purposes (with consent)

We will not use your information for secondary purposes such as marketing or aggregated analytics without your explicit consent.

4. AI and Language Model Processing

KylieBot uses artificial intelligence and large language model (LLM) services to conduct interviews and generate narrative content. Your interview responses, voice recordings, and professional information may be processed by third-party AI providers as part of this service.

• VAPI — conducts real-time voice interviews, including audio recording, speech-to-text transcription, and AI-driven interview dialogue. VAPI uses Anthropic Claude as the underlying language model for interview conversation. Audio recordings are stored by VAPI for 7 days and then automatically deleted. They are not stored on KylieBot servers. Processing occurs in the USA.
• OpenRouter — an AI API routing service through which all post-interview text processing is conducted (content generation, scoring, and biography processing). OpenRouter does not store prompts or responses by default; only operational metadata (token counts, latency) is retained. Processing occurs in the USA.
• Anthropic (Claude AI) — used in two ways: (a) as the language model within VAPI during live interviews (managed by VAPI under their terms), and (b) via OpenRouter for generating content types from interview transcripts after the interview. Text only, no audio. Processing occurs in the USA. Content is not retained for model training.
• Google (Gemini AI) — used via OpenRouter for biography processing, conversation scoring, and parts of the content generation pipeline. Interview transcripts (text only) are processed. Accessed on a paid API tier — Google retains prompts for up to 55 days solely for abuse monitoring, then deletes them. Data is not used for model training. Processing occurs in the USA and other countries where Google maintains facilities.

We take steps to minimise data transmitted to these services and do not authorise third-party AI providers to use your data for model training or improvement without your explicit consent.

AI-generated narratives are drafts intended for your review and editing before use. We make no warranty as to the accuracy, completeness, or suitability of AI-generated content.

5. Third-Party Services (APP 6)

We use the following third-party services which may process your data:

We do not sell, rent, or trade your personal information to third parties. We do not share your information for marketing purposes or provide it to data brokers.

6. Cross-Border Disclosure (APP 8)

Some of our third-party service providers may process or store your personal information outside Australia. Specifically, VAPI (USA), OpenRouter (USA), Anthropic (USA), Google (USA/global), Vercel (USA/global), Resend (USA), and Slack (USA, internal admin notifications only) process data overseas.

When we disclose personal information overseas, we:

• Select providers with robust data protection policies.
• Require contractual commitments to data security (Data Processing Agreements).
• Monitor compliance with privacy standards.
• Ensure providers comply with laws substantially similar to the APPs, or obtain your consent.

Our primary database (Supabase) is hosted in Sydney, Australia (ap-southeast-2). We are committed to maximising Australian data residency where practicable.

7. Data Sharing

We may share your information with:

• Your organisation — the organisation that arranged your access to KylieBot may have access to interview outputs and narratives generated on their behalf.
• Service providers — third-party vendors who assist us in operating the platform (as described in Section 5), under strict confidentiality obligations.
• Legal requirements — where we are required to disclose information by law, court order, or governmental authority, or to respond to Notifiable Data Breach requirements (see Section 10).

8. Data Security (APP 11)

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction.

• All data in transit is protected with HTTPS/TLS encryption.
• Database encryption at rest (Supabase AWS KMS).
• Passwords are hashed with bcrypt.
• Role-based access control (user, admin, super_admin) with least-privilege policies.
• Administrative actions are logged with timestamps for audit purposes.
• Regular security scanning and dependency vulnerability monitoring.

No method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

9. Data Retention (APP 10, 11)

We retain your personal information for the periods outlined below:

After retention periods expire, data is permanently deleted and cannot be recovered.

10. Data Breach Notification

In accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988, we have procedures to detect, assess, and respond to data breaches.

If we determine an eligible data breach has occurred, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) within 30 days.
• Notify affected individuals as soon as practicable.
• Provide a description of the breach, the kind of information involved, and recommended steps to mitigate potential harm.

If you suspect unauthorised access to your account, change your password immediately and contact us at info@kyliebot.com.

11. Your Rights (APP 12, 13)

11.1 Access your personal information

You can view your profile information in account settings and access generated reports in the dashboard. You may also email us to request a copy of your personal information; we will respond within 30 days.

11.2 Correct your personal information

You can update profile information directly in account settings. To correct inaccuracies in interview transcripts or other data, contact us and we will respond within 30 days.

11.3 Delete your account and data

You may request account deletion by contacting us at support@kyliebot.com, or via the account settings page. A 30-day grace period applies to allow cancellation. After that, all personal information is permanently deleted except audit logs (retained for 24 months) and financial transaction records (retained for 7 years as required by tax law).

11.4 Withdraw consent

You may withdraw consent for AI processing of interview data (which will result in discontinuation of the service) or for non-essential email communications. To withdraw consent, contact us at info@kyliebot.com.

12. Anonymity and Pseudonymity (APP 2)

Where practicable, you may interact with us anonymously or using a pseudonym (for example, for initial enquiries or general support questions). However, to provide our core services — interview processing, report generation, and account authentication — we require your real name and a valid email address.

13. Cookies

We use essential cookies to maintain your authenticated session. These cookies are necessary for the platform to function and cannot be disabled. We do not use advertising or tracking cookies.

14. Children’s Privacy

KylieBot is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a person under 18, please contact us immediately at info@kyliebot.com and we will delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the platform and ask you to review and re-accept the updated policy before continuing to use the service. Continued use after acceptance of an updated policy constitutes agreement to the revised terms.

16. Complaints (APP 1)

If you believe we have breached the Australian Privacy Principles, you may:

• Step 1: Contact us — email info@kyliebot.com. We will investigate and respond within 30 days.
• Step 2: Escalate to the OAIC — if you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au, by phone on 1300 363 992, or by email at enquiries@oaic.gov.au.

17. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or need to report a privacy concern, please contact us at:

STEM MATTERS PTY LTD
ABN 69 169 537 142
Email: info@kyliebot.com

Appendix: Australian Privacy Principles Coverage

This Privacy Policy addresses all 13 Australian Privacy Principles: