Privacy Policy — Adoptic

1. About This Policy

This Privacy Policy explains how [Adoptic Pty Ltd] ("Adoptic", "we", "us", "our") collects, holds, uses, and discloses Personal Information. It applies to all users of the Adoptic platform at adoptic.online, including client administrators, assessors, applicants, and visitors.

Adoptic is bound by the Australian Privacy Principles ("APPs") contained in the Privacy Act 1988 (Cth). Where we handle information relating to individuals in the United Kingdom or European Economic Area, we also comply with the UK General Data Protection Regulation ("UK GDPR") and the EU General Data Protection Regulation ("EU GDPR").

By accessing or using our platform, you acknowledge that you have read and understood this Privacy Policy.

2. Definitions

Term	Meaning
Personal Information	Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not. Under GDPR, this corresponds to "personal data".
Sensitive Information	A subset of Personal Information including health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal records, biometric data, and trade union membership. Under GDPR: "special category data".
Client Data	All data uploaded to, submitted through, or generated within the platform on behalf of a client organisation, including application data, assessment data, uploaded documents, and report outputs.
Derived Data	Data produced by Adoptic's proprietary algorithms and analytical processes from Client Data, including scores, rankings, statistical summaries, and report outputs.
Aggregated Data	Data that has been combined across multiple sources and de-identified such that no individual is reasonably identifiable.
Platform	The Adoptic web application at adoptic.online and any associated APIs, tools, or services.
Data Controller	The entity that determines the purposes and means of processing Personal Information (typically the client organisation).
Data Processor	The entity that processes Personal Information on behalf of the Data Controller (Adoptic, when processing Client Data).
AI Processing	The processing of Client Data using third-party large language models (LLMs) via Amazon Bedrock to perform assessment analysis, scoring, and report generation as part of Adoptic's analytical pipeline.

3. Our Role: Data Controller vs. Data Processor

Adoptic operates in two capacities:

As a Data Processor: When we process Client Data on behalf of our client organisations (the Data Controllers). This includes storing application data, running assessments, generating reports, and hosting uploaded documents. In this capacity, we process Personal Information only in accordance with our clients' instructions and applicable law.

As a Data Controller: When we collect and process Personal Information for our own purposes, such as managing user accounts, administering the platform, communicating with users, and improving our services.

Where we act as a Data Processor, the client organisation remains responsible for ensuring that it has appropriate lawful bases and privacy notices in place.

4. What Personal Information We Collect

4.1 Information You Provide Directly

Category	Examples
Account information	Name, email address, password (stored as a cryptographic hash), role, organisation membership
Client organisation data	Organisation name, type, data region preference
Application & project data	Project names, descriptions, assessment criteria and scores, supporting documents, budget information, narrative responses
Program & cohort data	Program names, descriptions, cohort structures, intake periods
Uploaded documents	Any files uploaded to the platform, which may contain Personal Information, Sensitive Information, financial data, or proprietary content
Communications	Emails, support requests, feedback, task notes, in-platform comments

4.2 Information We Collect Automatically

Category	Examples
Log data	IP address, browser type and version, operating system, referring URL, pages visited, date and time of access
Cookies	Session cookies for authentication, CSRF security tokens (see Section 11)
Usage data	Features accessed, reports generated and downloaded, actions taken within the portal
Consent records	Records of consents granted or revoked, including timestamps and IP addresses

4.3 Information From Third Parties

Your employer or organisation administrator, who creates or manages your account
Invitation links shared by existing users

4.4 Sensitive Information and Special Category Data

We do not intentionally collect Sensitive Information unless it is voluntarily included by applicants or clients in uploaded documents, application forms, or free-text fields.

Where Sensitive Information is provided:

We rely on the client (as Data Controller) to have obtained appropriate consent or another lawful basis
We treat it with the highest level of care and restrict access to authorised personnel only
We do not use it for any purpose other than providing the contracted services
Under GDPR, processing is limited to the bases in Article 9(2)

5. How We Use Your Personal Information

Purpose	Description	Legal Basis (GDPR)
Providing our services	Operating the platform, processing applications, generating reports, hosting documents	Contract / Legitimate interest
Authentication & security	Verifying identity, managing sessions, preventing unauthorised access	Contract / Legitimate interest
Data analysis & reporting	Running proprietary assessment algorithms and AI-powered analysis (including LLM-based processing via Amazon Bedrock) on submitted data to produce reports (see Section 6)	Contract
Administration	Managing client relationships, invitations, user roles, and billing	Contract
Communication	Responding to enquiries, providing support, service notifications	Legitimate interest
Platform improvement	Analysing usage patterns to improve features, fix bugs, develop new functionality	Legitimate interest
Aggregated insights	Producing de-identified, aggregated statistical insights (see Section 6.5)	Legitimate interest
Legal compliance	Complying with applicable laws, regulations, and legal processes	Legal obligation

We will never sell Personal Information to third parties. We will not use Client Data for marketing purposes.

6. Data Science, Automated Processing, and Algorithmic Analysis

6.1 What We Do

Adoptic uses proprietary data science methodologies, algorithms, and AI-powered analysis to analyse application data submitted by clients. This includes:

Scoring and assessment — calculating Desirability, Adoptability, Feasibility, Viability, and Psychosocial scores
AI-powered analysis — submitting application text to large language models (LLMs) via Amazon Bedrock for quote extraction, argument generation, evidence verification, and scoring (see Section 6.7)
Statistical analysis — producing descriptive statistics, distributions, benchmarks, and comparative analyses
Report generation — compiling outputs into structured reports (Audit, Assessor's Aid, Cohort, Comparison, Guidance)
Data visualisation — generating charts, graphs, and visual representations

6.2 Automated Decision-Making and Profiling

Our algorithms produce outputs designed to inform and support human decision-making, not replace it:

No solely automated decisions: We do not make decisions producing legal or similarly significant effects on individuals based solely on automated processing. Although our pipeline includes AI/LLM processing (see Section 6.7), LLM outputs are intermediate inputs — structured, validated, and combined with other analytical steps before producing final scores
Human oversight: All final decisions remain with the client organisation's authorised personnel. No individual outcome is determined solely by an AI model
Transparency: Our methodologies are documented and can be explained upon request. We do not operate opaque "black box" algorithms
No profiling for marketing: We do not build profiles for advertising, credit scoring, or unrelated purposes

6.3 Rights Relating to Automated Processing

Under GDPR Article 22, individuals have the right not to be subject to solely automated decisions with legal or significant effects. Because Adoptic's outputs are advisory and require human review, Article 22 does not apply to our standard processing. However, you may:

Request an explanation of the logic involved
Request human review of the output
Express your point of view and contest the decision

6.4 Derived Data and Intellectual Property

Client Data ownership: Clients retain ownership of all data they upload to or create within the platform
Derived Data: Analytical outputs are produced for the exclusive benefit of the client and treated as confidential
Proprietary algorithms: The algorithms and software are Adoptic's intellectual property. Clients receive outputs but not rights to the underlying source code
No cross-client use: We do not use one client's identifiable data to produce outputs for another

6.5 Aggregated and De-identified Data

We may produce aggregated, de-identified data to improve our algorithms, produce sector-wide benchmarks, and publish anonymised sample reports. This data cannot reasonably identify any individual or client organisation.

6.6 Model Training and Improvement

We use only de-identified and aggregated data for model training, not identifiable Client Data
We do not use Client Data to train models for unrelated purposes
Clients may opt out of de-identified data use for model improvement by notifying us in writing

6.7 AI and Large Language Model Processing

Adoptic's analytical pipeline includes processing of Client Data using large language models (LLMs) provided through Amazon Bedrock, a managed AI service operated by AWS.

What data is sent to the LLM:

Full application text submitted by applicants (narrative responses, project descriptions, supporting information)
Assessment variable definitions and scoring criteria defined by the client
Not sent: User credentials, account information, billing data, or raw uploaded files (only extracted text content relevant to the assessment)

How data is processed:

Application text is submitted to the LLM (Claude, developed by Anthropic, hosted on Amazon Bedrock) as part of a four-step pipeline: quote extraction, argument generation, evidence verification, and scoring
Approximately 70 LLM calls are made per application, covering each assessment variable
LLM outputs are structured scores, extracted quotes, and analytical reasoning — intermediate inputs to the broader scoring engine
Each invocation is independent; no data from one client's application is used in processing another's

Where data is processed:

All LLM processing occurs in the ap-southeast-2 (Sydney, Australia) AWS region
No Client Data is transferred overseas for LLM processing

Data retention by the LLM provider:

Amazon Bedrock does not retain, store, or log input or output data for model training or improvement
Input and output data is not shared with model providers (Anthropic) or across AWS customers
Data is encrypted in transit (TLS) and at rest by AWS
Ephemeral prompt caching may be used for system prompts within a session; cached content is not persisted

No use of Client Data for AI training:

Client Data is never used to fine-tune, train, or improve any AI model — by Adoptic, AWS, or Anthropic

Security and compliance:

Amazon Bedrock is SOC 2 Type II and ISO/IEC 27001 certified
Access authenticated via AWS IAM credentials
Processing confined to ap-southeast-2 and subject to Australian data residency

7. Disclosure of Personal Information

7.1 Your Organisation

Organisation administrators may access your account details, activity, and submitted data, as determined by role-based settings.

7.2 Service Providers (Sub-processors)

Provider	Purpose	Location
Amazon Web Services	Cloud hosting, storage, backups	[REGION]
Amazon Bedrock (AWS)	AI-powered application analysis using large language models (see Section 6.7)	ap-southeast-2 (Sydney)
Railway	Application hosting (transitioning to AWS)	United States
[Email provider]	Transactional email delivery	[REGION]
[Payment provider]	Payment processing	[REGION]

7.3 Legal and Regulatory

To comply with a legal obligation, subpoena, warrant, or court order
To enforce our terms of use or protect our rights, property, or safety
To protect the safety of any person
To investigate suspected fraud or security incidents

7.4 Business Transfers

In the event of a merger, acquisition, or sale, Personal Information may be transferred to the successor entity. We will notify affected users and provide an opportunity to request deletion.

7.5 De-identified and Aggregated Data

We may share data that cannot reasonably identify any individual, such as anonymised sample reports published for demonstration.

7.6 With Your Consent

We may disclose Personal Information where you have given explicit consent.

8. Overseas Disclosure and International Transfers

Personal Information may be transferred to or stored in:

United States — Railway hosting, [other providers]
[Other regions as applicable]

Note: AI/LLM processing via Amazon Bedrock is performed entirely within ap-southeast-2 (Sydney, Australia). No Client Data is transferred overseas for AI processing.

Before disclosing overseas, we take reasonable steps to ensure compliance with the APPs (APP 8). Under GDPR, transfers are made only where an adequacy decision exists, Standard Contractual Clauses are in place, or an Article 49 derogation applies.

9. Data Security

Encryption in transit — TLS 1.2+ (HTTPS) on all connections
Encryption at rest — AES-256 for database and storage volumes
Password hashing — PBKDF2-SHA256, never stored in plain text
Role-based access controls — users only see data relevant to their role and organisation
Organisation-level data isolation — enforced at the application layer
Invite-only access — secure, time-limited invitation links
Audit logging — significant actions logged for accountability

For full detail, see our Data Security Policy.

10. Data Retention

Data Type	Retention Period
User accounts	Duration of account + [X] years after deletion
Client Data	Duration of contract + [X] years, unless earlier deletion requested
Derived Data	Same as source Client Data
Log & usage data	[X] months from collection
Consent records	[X] years after revocation or account deletion
Aggregated data	Retained indefinitely (not Personal Information)

10.1 Client-Initiated Deletion

Clients may request deletion at any time. We will delete or de-identify all Client Data within [X] business days and confirm in writing.

10.2 Data Portability and Export

Clients may request an export in CSV, JSON, or PDF format. We fulfil requests within [X] business days.

11. Cookies

Cookie	Type	Purpose	Duration
Session	Strictly necessary	Maintains authenticated session	Browser close / [X]h inactivity
CSRF token	Strictly necessary	Prevents cross-site request forgery	Session

We do not use advertising, retargeting, third-party tracking, or social media cookies.

12. Your Rights

12.1 Under the Australian Privacy Act

Access the Personal Information we hold about you (APP 12)
Request correction of inaccurate, out-of-date, or misleading information (APP 13)
Complain about a breach of the Australian Privacy Principles
Anonymity / pseudonymity where practicable (APP 2)

12.2 Under UK/EU GDPR (where applicable)

Erasure ("right to be forgotten") — Article 17
Restriction of processing — Article 18
Portability — structured, machine-readable format — Article 20
Objection to processing based on legitimate interest — Article 21
Withdraw consent at any time — Article 7
Automated decision-making — request human intervention — Article 22

12.3 How to Exercise Your Rights

Contact us at [PRIVACY CONTACT EMAIL]. We will acknowledge within 5 business days and respond within 30 days.

13. Client Responsibilities

As Data Processor, our clients (Data Controllers) are responsible for:

Ensuring appropriate lawful bases for collection and processing
Providing clear privacy notices to applicants and stakeholders
Obtaining necessary consents before uploading Personal or Sensitive Information
Responding to data subject access requests
Complying with applicable data protection laws
Notifying Adoptic of any data breach affecting platform-held data

13.1 Data Processing Agreements

We enter into DPAs covering: subject matter, data types, controller obligations, sub-processor arrangements, security measures, audit rights, breach notification, and data return/deletion on termination. Contact [PRIVACY CONTACT EMAIL] for a DPA.

14. Document Uploads and Client-Controlled Content

Uploaded documents are stored securely per our Data Security Policy
We do not review or moderate content unless required for support or legal compliance
We do not claim ownership of uploaded documents
All uploads are treated as Confidential Client Data
Access restricted to authorised users within the relevant organisation

Clients must ensure uploaded content complies with applicable laws and does not contain malicious code.

15. Complaints

We will acknowledge complaints within 5 business days and respond within 30 days. If unsatisfied, escalate to:

Office of the Australian Information Commissioner (OAIC)
www.oaic.gov.au · 1300 363 992

Information Commissioner's Office (ICO) (UK/EEA)
www.ico.org.uk · 0303 123 1113

16. Children's Information

Adoptic does not knowingly collect Personal Information from children under 16. Our platform is designed for organisations and their authorised personnel. If a child's data has been submitted, contact us immediately.

17. Changes to This Policy

Updated policy posted with a revised version date
Material changes communicated at least 14 days before taking effect
Continued use after changes constitutes acceptance

18. Related Policies

Data Security Policy — technical and organisational measures
Terms of Use — conditions of access to the platform
Cookies Declaration — detailed cookie information
Third-Party Service Providers — current sub-processor list

19. Contact Us

[Adoptic Pty Ltd]
ABN: [XX XXX XXX XXX]
Address: [REGISTERED ADDRESS]
Email: [PRIVACY CONTACT EMAIL]
Website: adoptic.online