ninthLABS Ventures Pty Ltd (“ninthLABS”, “we”, “us”) is committed to protecting your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use OBEL™.
1. Information We Collect
Account information
When you create an account, we collect your name, email address, and organisation details. This data is managed through Clerk (our identity provider) and stored in our database.
Usage and interaction data
We record metadata about your interactions with the Services, including prompt token counts, model selections, cost events, PII scrubber hits (without the original sensitive content), classification decisions, and request latency. We do not store the raw text of your prompts unless SIEM forwarding with content inclusion is explicitly enabled by your organisation administrator.
Billing information
Payment details are collected and processed by Stripe. We do not store full payment card numbers. We receive a tokenised payment reference, the last four digits of your card, and billing address from Stripe for our records.
Technical and analytics data
With your consent, we collect anonymous usage analytics via Google Analytics (page views, session duration) to understand how the platform is used. We also collect standard server logs (IP address, user agent, request timestamps) for security and troubleshooting purposes.
2. How We Use Your Information
- Provide, operate, and improve the Services
- Authenticate your identity and manage access to your workspace
- Process payments and manage subscriptions
- Generate and maintain tamper-evident audit records
- Detect and respond to security incidents, fraud, or abuse
- Communicate service updates, security notices, and product announcements
- Comply with our legal obligations
We do not use your prompts, responses, or audit data to train AI models — ours or any third party's.
3. Sub-processors and Third Parties
To deliver the Services, we share data with the following sub-processors. A full list is available in our Data Processing Agreement.
| Processor | Purpose | Location |
|---|---|---|
| Clerk | Identity & authentication | USA |
| Supabase | Database & file storage | USA (multi-region) |
| Stripe | Payment processing | USA |
| Anthropic | Claude AI model inference | USA |
| OpenAI | GPT model inference | USA |
| Google AI | Gemini model inference | USA/Global |
| Groq | Fast inference (Llama, Mixtral) | USA |
| GitHub | Tamper-evident audit trail | USA |
AI model providers (Anthropic, OpenAI, Google AI, Groq) receive scrubbed prompt text — the original text with PII replaced by typed placeholders. They do not receive the pre-scrub content.
4. Data Retention
Account data is retained for the duration of your subscription and for 90 days after account closure, to allow for data export requests. Audit log entries are retained for a minimum of 12 months and may be retained longer if required for compliance purposes. Anonymous analytics data may be retained indefinitely in aggregated form.
You may request deletion of your personal data by contacting privacy@ninthlabs.ai. We will respond within 30 days. Note that we may be required to retain certain data by law.
5. Your Rights
Under the Australian Privacy Act 1988 (Cth) and the APPs, you have the right to:
- Request access to personal information we hold about you
- Request correction of inaccurate or incomplete personal information
- Request deletion of your personal information (subject to legal retention obligations)
- Complain to us if you believe we have interfered with your privacy
- Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if your concern is not resolved
To exercise any of these rights, contact us at privacy@ninthlabs.ai.
6. Security
We implement appropriate technical and organisational measures to protect your personal information, including AES-256-GCM encryption for stored credentials, row-level security on all database tables, and TLS in transit. For a full description of our security architecture, see the Security page.
In the event of a data breach, we will notify affected users and the OAIC in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).
7. International Transfers
ninthLABS Ventures Pty Ltd is based in Australia. Some of our sub-processors are located in the United States. Before transferring personal information overseas, we take reasonable steps to ensure that overseas recipients handle your data in a manner consistent with the APPs, in accordance with APP 8.
8. Cookies
We use cookies and similar technologies for analytics and session management. See our Cookie Policy for full details. Analytics cookies are only loaded with your consent.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-product notice. The effective date at the top of this page will always reflect the most recent version.
10. Contact
Privacy enquiries: privacy@ninthlabs.ai
ninthLABS Ventures Pty Ltd, New South Wales, Australia