Privacy Policy.

1. Who we are.

The GAiGE ("we", "us", "our") is a product of Digital Recreations Pty Ltd (ABN 19 668 879 356), trading as AiGILE Dev, an Australian company registered in New South Wales.

We provide a software-as-a-service platform that helps organisations measure the effectiveness of their AI tools through short feedback pulses delivered via a browser extension (available for Chrome and Microsoft Edge).

This policy explains what personal information we collect, why we collect it, how we use and protect it, and your rights under the Privacy Act 1988 (Cth) ("Privacy Act"), the Australian Privacy Principles ("APPs"), and the EU General Data Protection Regulation ("GDPR") where applicable.

2. Our role, data controller and processor.

We act in two capacities depending on the type of data:

• Data controller, for account data (your name, email, organisation details) and platform usage data. We decide why and how this data is processed.
• Data processor, for pulse response data submitted by your team members. Your organisation's administrators decide which pulses to run, which tools to measure, and who to invite. We process the responses on their behalf.

If your organisation requires a Data Processing Agreement (DPA), contact support@thegaige.com.

3. What data we collect.

We collect the following categories of personal information:

Account information

Name, email address, organisation name, role, and time zone. Collected when you sign up or are invited by your organisation's administrator.

Authentication data

We use Clerk for authentication. Clerk may store session tokens, IP addresses, and device information. See Clerk's privacy policy.

Pulse responses

Answers you provide through feedback pulses, including ratings (e.g. satisfaction 1–5), time-saved estimates, multiple-choice selections, and optional free-text comments. These are stored against your user account within your organisation.

Important: Your organisation's administrators see aggregated, anonymous reports, not your individual answers. Responses are rolled up into averages, percentages, and trends. No admin can see "Sarah rated Copilot 2/5 on Tuesday."

Browser extension data

The extension (available for both Chrome and Microsoft Edge) stores authentication tokens and pulse schedules locally on your device. It communicates with our API to fetch schedules and submit responses. It does not collect browsing history, page content, form inputs, passwords, cookies, keystrokes, or screenshots. See our extension page for full technical details.

Payment information

Processed by Stripe. We collect your billing address and phone number at checkout. We do not store credit card numbers, CVVs, or bank account details. Stripe handles this in their PCI-compliant infrastructure. See Stripe's privacy policy.

Usage and analytics data

We use PostHog (EU-hosted) for product analytics and Sentry for error tracking. We also use Plausible (privacy-focused, cookie-free) for anonymous website analytics on our public pages.

4. Lawful basis for processing (GDPR).

Where the GDPR applies (e.g. for users in the European Economic Area or UK), our lawful basis for processing is:

• Performance of a contract (Art. 6(1)(b)), to provide the Service you signed up for, process payments, and deliver pulses.
• Legitimate interests (Art. 6(1)(f)), to improve the Service, prevent fraud, ensure security, and send transactional emails (e.g. trial reminders, billing notifications). We balance these interests against your rights and freedoms.
• Consent (Art. 6(1)(a)), for optional marketing communications (if we introduce them in future). You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)), to comply with tax, accounting, and regulatory requirements.

5. How we use your data.

We use your personal information to:

• Provide, maintain, and improve the Service.
• Deliver feedback pulses at appropriate times via the browser extension.
• Generate aggregated reports and insights for your organisation's administrators.
• Communicate with you about your account, including trial reminders, billing notifications, and weekly digest emails.
• Process payments and manage your subscription.
• Monitor and fix errors, security issues, and performance problems.
• Comply with legal obligations under Australian law and, where applicable, EU law.

We do not use your pulse responses, comments, or ratings for advertising, profiling, or any purpose other than providing the Service to your organisation, with one explicitly-scoped exception described below.

Aggregated industry insights

We may publish aggregated, de-identified data about AI tool usage, satisfaction, and adoption patterns across our customer base. For example, industry benchmarks, top-rated tools by category, or trend reports. We do this only when all the following are true:

• The published data covers at least 10 customer organisations and 100 individual responses for any single data point.
• No customer organisation, individual user, or specific tool deployment can be identified from the published data, including by combining it with other publicly-available information.
• Customers may opt their organisation out of contributing to published reports at any time via Settings, then Organization, then Industry insights. Opt-out takes effect immediately.

This data is no longer "personal information" once aggregated to the thresholds above, but we treat the commitment seriously regardless.

6. How we share your data.

We do not sell your personal data. We share data only with the third-party services necessary to operate the platform.

We may also disclose personal information if required by law, court order, or government request, or to protect the rights, safety, or property of the Company, our users, or the public.

7. Cross-border data disclosure (APP 8).

Under the Australian Privacy Principles, we are required to inform you when your personal information may be disclosed to recipients outside Australia. As shown in the list above, some of our sub-processors operate in the United States and the European Union.

Before engaging any sub-processor, we take reasonable steps to ensure they comply with obligations substantially similar to the APPs. Where GDPR applies, we rely on Standard Contractual Clauses (SCCs) or the sub-processor's adequacy determination to safeguard international transfers.

8. Data storage and security.

Your primary data (accounts, organisations, pulse responses, reports) is stored on AWS infrastructure in the Sydney, Australia region (ap-southeast-2). We implement the following security measures:

• Encryption in transit: all connections use TLS 1.2 or higher.
• Encryption at rest: database storage uses AES-256 encryption (AWS RDS).
• Access control: production systems are accessible only to authorised personnel via encrypted channels.
• Authentication tokens: extension tokens are stored as SHA-256 hashes. The raw token is only shown once at issuance.
• Payment data: handled entirely by Stripe in their PCI DSS Level 1 certified infrastructure.

No system is 100% secure. If we become aware of a data breach that is likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

9. Data retention.

• Active accounts: data is retained for the lifetime of your account and subscription.
• After cancellation: data is retained in read-only mode for 90 days to allow for export or reactivation. After 90 days, data may be permanently deleted.
• Legal retention: we may retain certain data longer where required by law (e.g. tax records for 5 years under Australian tax law).
• Aggregated data: anonymised, aggregated data that cannot identify any individual may be retained indefinitely for research and product improvement.

10. Your rights.

Under the Australian Privacy Act

You have the right to:

• Access the personal information we hold about you (APP 12).
• Request correction of inaccurate or out-of-date information (APP 13).
• Complain about a breach of the APPs. We will respond to complaints within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

Under the GDPR (where applicable)

If you are in the EEA or UK, you additionally have the right to:

• Erasure ("right to be forgotten"), request deletion of your data, subject to legal retention requirements.
• Restriction, request that we limit processing of your data in certain circumstances.
• Data portability, receive your data in a structured, machine-readable format (e.g. CSV or JSON).
• Object, object to processing based on legitimate interests.
• Withdraw consent, where processing is based on consent, withdraw it at any time without affecting prior processing.
• Complain to your local supervisory authority if you believe your data protection rights have been violated.

To exercise any of these rights, contact us at support@thegaige.com. We will respond within 30 days (or the applicable statutory timeframe).

11. Cookies and local storage.

We use essential cookies required for authentication and session management. We do not use advertising, tracking, or third-party marketing cookies.

The browser extension uses the standard WebExtensions storage.local API (in both Chrome and Microsoft Edge) to store authentication state and pulse scheduling data. This data stays on your device and is not shared with third parties.

Our public website uses Plausible Analytics, which is cookie-free. It does not use cookies, local storage, or any form of client-side tracking.

12. Automated decision-making.

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significant effects on you (as described in GDPR Article 22).

Our "Smart insights" feature uses rule-based heuristics (not machine learning or AI) to surface patterns in aggregated, anonymous response data. These insights are informational and are presented to administrators. They do not make decisions about individuals.

13. Children's privacy.

The GAiGE is a workplace tool designed for use by adults in professional settings. We do not knowingly collect personal information from anyone under the age of 16. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

14. Changes to this policy.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the platform at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.