Privacy Policy
This Privacy Policy explains how Faultex collects, uses, discloses and protects personal information, in accordance with the Australian Privacy Principles.
1. About this Privacy Policy
This Privacy Policy explains how [Faultex Pty Ltd] (ACN/ABN [ABN/ACN], "Faultex", "we", "us" or "our") handles personal information when you visit our website and use the Faultex supply-chain risk intelligence service (the "Service").
We are based in Australia and we are committed to handling your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). "Personal information" has the meaning given in the Privacy Act: information or an opinion about an identified individual, or an individual who is reasonably identifiable.
Much of the data you enter into Faultex is business information about your organisation and your suppliers (for example, supplier company names, commodities and trade lanes) rather than personal information about individuals. Where that business information also identifies or relates to an individual (for example, a sole-trader supplier or a named contact), we treat it as personal information and handle it under this Policy.
By creating an account or using the Service, you acknowledge this Policy. If you do not agree with it, please do not use the Service.
2. The kinds of personal information we collect
We collect the following categories of information:
- Account and identity information: your email address and password (or, if you use Google sign-in, the basic Google account profile details Google passes to us such as your email and name). Passwords are handled by our authentication provider and are not stored by us in readable form.
- Onboarding and profile information: your organisation name, industry, headquarters country, company size, delivery timezone and briefing frequency/cadence preferences.
- Supply-chain inputs you provide: the supplier names, commodities, regions, trade lanes and regulators you enter to configure your risk register. This is mostly business information about third parties, but may include individuals where (for example) a supplier is a sole trader or you enter a named contact.
- Content you generate or request: mitigation plans, briefing documents, risk reports, product breakdowns, and emails or documents drafted (and, where you grant "act" authority, sent or inserted) by the Agent Team on your behalf.
- Usage and technical information: page views and feature interactions, device/browser information, IP address, and similar analytics data collected via our analytics tools and our servers.
- Billing information: if you subscribe to a paid plan or purchase a one-time unlock, your payment is processed by our payment provider (Stripe). We do not collect or store your full card number; we receive limited transaction and subscription status data from Stripe.
- Derived information: risk scores, severity bands, forecasts and other outputs we generate for you based on the inputs above and on third-party data sources.
We do not intentionally collect sensitive information (as defined in the Privacy Act, such as health or biometric data). Please do not enter sensitive information into the Service.
3. How we collect personal information
We collect personal information:
- Directly from you, when you sign up, complete onboarding, configure your profile, enter supply-chain inputs, generate content, contact us, or subscribe.
- Automatically, when you use the Service, through cookies, browser local storage and analytics (see section 11).
- From third parties, namely our authentication provider (where you use Google sign-in) and our payment provider (subscription and transaction status).
Where it is reasonable and practicable, we collect personal information about you directly from you. If we receive personal information we did not request and could not lawfully have collected, we will deal with it in accordance with APP 4.
4. Why we collect, hold, use and disclose your information
We collect, hold and use personal information to:
- create and administer your account and authenticate you;
- configure and deliver the Service, including your tailored risk register, dashboard, daily/weekly/triggered briefings and email alerts;
- generate risk scores, forecasts, product breakdowns, watchlist matches, mitigation plans and other outputs;
- operate AI-assisted features, including drafting and (with your authority) sending content via the Agent Team;
- process payments, manage subscriptions, trials and one-time unlocks, and prevent fraud;
- provide support and respond to your enquiries;
- maintain, secure, troubleshoot and improve the Service; and
- comply with our legal obligations.
We will only use or disclose your personal information for the primary purpose for which it was collected, for a directly related secondary purpose you would reasonably expect, or where you have consented or we are otherwise permitted or required by law (APP 6).
We do not sell your personal information, and we do not use your account profile, supplier list, regions or lanes to train third-party AI models. We may use de-identified and aggregated signal trends internally to maintain and improve our risk-scoring; we do not publish your individual profile.
5. AI processing of your inputs
Some features of the Service use artificial intelligence and large language models (LLMs) to generate content — for example mitigation plans, briefing and report text, forecasts, and Agent-drafted emails and documents.
To provide these features, the inputs needed to perform the task (which may include your organisation details and the supplier, commodity, region or lane information relevant to the request) are sent to our AI/LLM sub-processor for processing and returned to you. We use providers under contractual terms that restrict use of your data to providing the service to us and that do not permit your data to be used to train their general models. We do not use your data to train our own or third parties' foundation models.
AI-generated outputs may be inaccurate, incomplete or out of date and should be reviewed by you before you rely on or send them.
6. Third-party data sources in our outputs
Our outputs are built in part from third-party and public data sources, including company-ownership data (GLEIF), country-risk indicators (World Bank), trade data, and approximately 28 public sanctions, export-control, debarment and forced-labour lists used by the Watchlists feature.
This third-party data is provided to us "as is". It may be incomplete, out of date or contain errors, and we do not control it. Watchlist matches are indicative, name-based results intended to prioritise your own due diligence — they are not a determination that any company or individual is sanctioned, debarred, or linked to any conduct. Risk scores, severity bands, ownership resolutions, country-risk labels and forecasts are derived analytical outputs, not statements of fact, and forecasts are probabilistic estimates that may prove wrong. You should verify any result against the original official source before relying on it.
7. Who we share personal information with
We do not sell your personal information. We disclose it only to:
- Service providers and sub-processors who help us run the Service, under confidentiality and data-protection obligations. These currently include: [Google Firebase] (authentication and analytics), [our AI/LLM provider] (AI generation), [n8n] (workflow automation), [Cloudflare] (content delivery and security), [Stripe] (payments), and our own hosting infrastructure. The named providers should be confirmed and kept current.
- Recipients you direct, where you use the Agent Team's "act" authority to send emails or insert documents — those communications go to the recipients you specify.
- Legal and safety recipients, where we are required or permitted by law, to enforce our terms, or to protect our rights, users or the public.
- A successor entity, in connection with a sale, merger or restructure of our business, subject to this Policy.
We do not disclose your personal information to third parties for their own marketing.
8. International transfers / overseas disclosure
Some of our sub-processors store or process data outside Australia (for example in the United States or other countries where our authentication, AI, automation, delivery and payment providers operate). The likely countries will depend on the providers listed in section 7 and should be confirmed once those providers are finalised.
Before disclosing personal information overseas, we take reasonable steps to ensure recipients handle it consistently with the APPs, including through contractual protections (APP 8). By using the Service and entering data into it, you acknowledge that your information may be processed overseas by these providers.
9. Data security
We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure (APP 11). These steps include encryption in transit, access controls and authentication, an administrative access allowlist, and use of reputable infrastructure providers.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a data breach likely to result in serious harm, we will assess and respond in accordance with the Notifiable Data Breaches scheme under the Privacy Act, including notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) where required.
10. Retention and deletion
We hold personal information only for as long as it is needed for the purposes described in this Policy, or as required by law (for example, tax and financial records).
You can delete your account at any time from the Profile page, which removes your account and associated profile data (the deletion is double-confirmed to prevent accidents). When you delete your account, or when information is no longer needed and we are not required to retain it, we will take reasonable steps to destroy or de-identify it. Some information may persist for a limited period in backups or where retention is legally required, and de-identified aggregate data may be retained.
11. Cookies, local storage and analytics
The Service uses cookies and browser local storage to keep you signed in, remember preferences (such as theme and onboarding progress), and operate core functionality. We also use analytics (including our authentication provider's analytics) to understand how the Service is used so we can improve it.
Most browsers let you block or delete cookies and local storage, but some features of the Service may not work properly if you do.
12. Your rights — access and correction
Under the APPs you may request access to the personal information we hold about you (APP 12) and ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant or misleading (APP 13). Much of this you can view and update yourself in your profile, or remove by deleting your account.
To make an access or correction request, contact us using the details in section 15. We will respond within a reasonable period. We do not generally charge for access requests, though a reasonable cost-based charge may apply in limited cases; we will not charge you to make a request. We may need to verify your identity before acting.
13. Complaints
If you believe we have breached the Australian Privacy Principles or mishandled your personal information, please contact us first using the details in section 15 so we can investigate and respond, usually within 30 days.
If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au, by phone on 1300 363 992, or by writing to GPO Box 5288, Sydney NSW 2001.
14. Children
The Service is a business tool intended for use by organisations and is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, please contact us and we will take reasonable steps to delete it.
15. How to contact us
For any privacy question, request or complaint, contact:
[Faultex Pty Ltd] Privacy / Legal: [legal contact email]
We may ask you to verify your identity before we action a request.
16. Changes to this Policy
We may update this Policy from time to time to reflect changes to the Service, our providers, or the law. We will post the updated version with a new effective date, and where changes are material we will take reasonable steps to notify you (for example by email or an in-app notice). Your continued use of the Service after an update takes effect means you accept the updated Policy.